Malware Analysis Report

2025-01-02 06:55

Sample ID 241129-kqh78swmcv
Target r8p(4).exe
SHA256 f18f14ec50247a31a03a220e132f9317e2ac12e3905e500ba046d394575b66ee
Tags
discovery defense_evasion evasion execution persistence privilege_escalation pyinstaller r77
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f18f14ec50247a31a03a220e132f9317e2ac12e3905e500ba046d394575b66ee

Threat Level: Known bad

The file r8p(4).exe was found to be: Known bad.

Malicious Activity Summary

discovery defense_evasion evasion execution persistence privilege_escalation pyinstaller r77

r77 rootkit payload

Modifies security service

Modifies firewall policy service

R77 family

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Event Triggered Execution: Component Object Model Hijacking

Indicator Removal: Clear Windows Event Logs

Executes dropped EXE

Checks installed software on the system

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Detects Pyinstaller

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 08:49

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

144s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\shell\NormalColor\en-US\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

84s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\shell\NormalColor\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

88s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\windhawk.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\windhawk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\windhawk.exe

"C:\Users\Admin\AppData\Local\Temp\windhawk.exe"

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

82s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\style.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

146s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

84s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\shell\NormalColor\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

86s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\instextras.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\instextras.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\instextras.exe

"C:\Users\Admin\AppData\Local\Temp\instextras.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\Aero.dll

MD5 0cb4305037fdbb31b1763beed3564f7f
SHA1 b584fd7ebffc331b2a08c6c7c74ed1193f3fa22d
SHA256 4f8ac32dd2cca85f9a018eb6a29bf0405af41a725a8a6ff6a7429704feef8d7b
SHA512 e85449f23ac1742b59fb5299737cfdc1c0aae79c0c247f47fcc7887c433d085087d23e7bb521b9f63e470772e0b5e1e3b3afb9b9244f12b425d43d5205a21a4c

C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\Crypto.dll

MD5 59b7a89dbff790d69e01409dbc2a2788
SHA1 4ebbee3ebb35add8c1a0e436a4e4c9c5ba47c02a
SHA256 17b9038e66f3f45c4e775b32ad1bf076812d1ca4149198b47f4e0eda416859b1
SHA512 c202034bfbb7aca777326e7fb336e977e79cd9ba3bc7c17e5b6ec9c0222f6df2e1675b7d6bcb3de04a84e6226b193a5e0b81af950bc659fab83d12cd2fb84c04

C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\nsDialogs.dll

MD5 b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA1 15ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA256 89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA512 6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

C:\Users\Admin\AppData\Local\Temp\nszAB54.tmp\System.dll

MD5 192639861e3dc2dc5c08bb8f8c7260d5
SHA1 58d30e460609e22fa0098bc27d928b689ef9af78
SHA256 23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA512 6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

146s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sym.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\sym.exe

"C:\Users\Admin\AppData\Local\Temp\sym.exe"

C:\Users\Admin\AppData\Local\Temp\sym.exe

"C:\Users\Admin\AppData\Local\Temp\sym.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI19762\python311.dll

MD5 d06da79bfd21bb355dc3e20e17d3776c
SHA1 610712e77f80d2507ffe85129bfeb1ff72fa38bf
SHA256 2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1
SHA512 e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

C:\Users\Admin\AppData\Local\Temp\_MEI19762\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI19762\base_library.zip

MD5 6e706e4fa21d90109df6fce1b2595155
SHA1 5328dd26b361d36239facff79baca1bab426de68
SHA256 ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998
SHA512 c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_ssl.pyd

MD5 e5b1a076e9828985ea8ea07d22c6abd0
SHA1 2a2827938a490cd847ea4e67e945deb4eef8cbb1
SHA256 591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b
SHA512 0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_uuid.pyd

MD5 b21b864e357ccd72f35f2814bd1e6012
SHA1 2ff0740c26137c6a81b96099c1f5209db33ac56a
SHA256 ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53
SHA512 29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_hashlib.pyd

MD5 ba682dfcdd600a4bb43a51a0d696a64c
SHA1 df85ad909e9641f8fcaa0f8f5622c88d904e9e20
SHA256 2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd
SHA512 79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636

C:\Users\Admin\AppData\Local\Temp\_MEI19762\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI19762\select.pyd

MD5 e07ae2f7f28305b81adfd256716ae8c6
SHA1 9222cd34c14a116e7b9b70a82f72fc523ef2b2f6
SHA256 fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c
SHA512 acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_lzma.pyd

MD5 3273720ddf2c5b75b072a1fb13476751
SHA1 5fe0a4f98e471eb801a57b8c987f0feb1781ca8b
SHA256 663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948
SHA512 919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_bz2.pyd

MD5 37eace4b806b32f829de08db3803b707
SHA1 8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9
SHA256 1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b
SHA512 1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_socket.pyd

MD5 485d998a2de412206f04fa028fe6ba90
SHA1 286e29d4f91a46171ba1e3c8229e6de94b499f1d
SHA256 8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76
SHA512 68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f

C:\Users\Admin\AppData\Local\Temp\_MEI19762\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI19762\_decimal.pyd

MD5 e4e032221aca4033f9d730f19dc3b21a
SHA1 584a3b4bc26a323ce268a64aad90c746731f9a48
SHA256 23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c
SHA512 4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c

C:\Users\Admin\AppData\Local\Temp\_MEI19762\unicodedata.pyd

MD5 5cc36a5de45a2c16035ade016b4348eb
SHA1 35b159110e284b83b7065d2cff0b5ef4ccfa7bf1
SHA256 f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20
SHA512 9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

142s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

146s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\style.dll,#1

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

82s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\shell\NormalColor\shellstyle.dll,#1

Network

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

145s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

84s

Max time network

95s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

85s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Classic-W11\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Classic-W11\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

144s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\shell\NormalColor\en-US\shellstyle.dll,#1

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ThemeSwitcher.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ThemeSwitcher.exe

"C:\Users\Admin\AppData\Local\Temp\ThemeSwitcher.exe"

Network

Files

memory/4580-0-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp

memory/4580-1-0x00000000001C0000-0x00000000001F6000-memory.dmp

memory/4580-2-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 138aec8421a680077f437b52b68e92e0
SHA1 5de46a5f53747e84e4a741d3a685642c0fd5c911
SHA256 7f4146d11b118ac61fce0f23d9b8e7bc0d49c509dbe70fa703d86bc9c5b72ebc
SHA512 11d87e989f2af2c99aef3e6022191161122c0c7394c699ce04350bef8608cf49b118589db5cf4d75eb7a5eeee9556782dc9432a0890cf4e53e485c5d8531eb5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 b264deaacbfcacebaa7993791bafb7fa
SHA1 22e11e044127c86cf189eaa1a2accfb69cfc09df
SHA256 eb4cd12a792e06160fe8f8db0e58070356bda820051ab3eaa62c056e4faf55a6
SHA512 81f107e8323d57ce3946b342307dc86b05ff3ffad514df0e11e00eb5229986b2df9d0781c6420b3da84ab05c94ceffc8f672377e7d1e0b5f6ef66af12e0e1049

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

MD5 5e53216fe351e47b1e42a5b993e9cffd
SHA1 89865999cd3175542dd5b0c3b382d283cf5f6dc2
SHA256 306499e9d20226befd4ff48fe27ae704a3586f0c138fa5088850e7abc400d2ec
SHA512 5df18280a0da242b7b988f70ff6ff60522ef6c17b29cf1737f6e8438da9627ce7007151dc1d7d0584ec38f5b371ed5add7058a468ea31eea3ab282af0879d2c1

memory/4580-708-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

memory/4580-757-0x00007FFA9E893000-0x00007FFA9E895000-memory.dmp

memory/4580-758-0x00007FFA9E890000-0x00007FFA9F352000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

146s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

84s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-Redstone\shell\NormalColor\shellstyle.dll,#1

Network

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

145s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-W11\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

84s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Classic-Redstone\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Classic-Redstone\style.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\shell\NormalColor\en-US\shellstyle.dll,#1

Network

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

85s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Aero-W11\shell\NormalColor\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

143s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\style.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\style.dll,#1

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 09:08

Platform

win11-20241007-en

Max time kernel

1051s

Max time network

445s

Command Line

winlogon.exe

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{6EF4679F-6D06-4376-A0A5-7A826C6B4544} = "v2.31|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{EF559C60-57C3-4BAB-BC86-68F96A3C7681} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{E42763C8-14B3-440A-9AF8-9AA1F467552E} = "v2.31|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Security=Authenticate|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{AE519E9D-103E-4FA5-9D0F-F148FDE26CDD} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Security=Authenticate|" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{A133FF5E-DC82-4F5A-B2BA-ACB59C0F1621} = "v2.31|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{BAA6A174-ECD1-4C14-B7C0-8A6B49A0FB9F} = "v2.31|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{17FCB4D4-7546-4AB8-8AB8-5A0B919280BB} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{67B49050-B8AF-4EA7-BAF8-896F755F7F22} = "v2.31|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{4E4F5702-BAE2-457F-A569-A4E83ED7A71D} = "v2.31|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|EmbedCtxt=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ|" C:\Windows\system32\svchost.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000S-1-5-21-3587106988-279496464-3440778474-1000 = "v2.31|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|M=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|D=C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\|PFN=Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy|" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000S-1-5-21-3587106988-279496464-3440778474-1000 = "v2.31|AppPkgId=S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|LUOwn=S-1-5-21-3587106988-279496464-3440778474-1000|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000|M=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|Desc=@{Microsoft.Windows.StartMenuExperienceHost_10.0.22000.37_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.StartMenuExperienceHost/StartMenuExperienceHost/PkgDisplayName}|" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "543" C:\Windows\system32\svchost.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\GlobalFlag = "256" C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\VerifierDlls = "SecureUxTheme.dll" C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Admin.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx C:\Windows\System32\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A
N/A N/A C:\Windows\Revert8Plus\sym.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\Revert8Plus\SoundSchemes\Savanna\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Sonata\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Calligraphy\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Cityscape\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Heritage\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Landscapes\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Quirky\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Raga\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Afternoon\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Characters\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Delta\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Festival\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Garden\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\ProgramData\Windhawk\Windhawk.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\ProgramData\Windhawk\Windhawk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\ProgramData\Windhawk\Windhawk.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\duires.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\system32\SecureUxTheme.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\ProgramData\Windhawk\Windhawk.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\ProgramData\Windhawk\Windhawk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\ProgramData\Windhawk\Windhawk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\ProgramData\Windhawk\Windhawk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\ProgramData\Windhawk\Windhawk.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\ProgramData\Windhawk\Windhawk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\ProgramData\Windhawk\Windhawk.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\he-IL\display.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\ar-sa\gameux7.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Cityscape\Windows Battery Low.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Landscapes\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Styles\W7Aero-W11\style.msstyles C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\classicfix-themecpl.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\tr-TR\shell7.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Savanna\Desktop.ini C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\StartIsBack32.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\symsrv.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\ExplorerFrame21332.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\sl-si\gameux7.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-w7-remove-ms-store-open-with_1.0.0_127284.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\ThemeFiles\Redstone\r8p-w7-Landscapes.theme C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\glass8-1607.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\magnify.exe.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\ModsSource\[email protected] C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Calligraphy\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Characters\Windows Feed Discovered.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Quirky\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Cursors\aero_select.cur C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\el-gr\gameux7.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Landscapes\Windows Navigation Start.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\1.5.1\64\windhawk.lib C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-w7classic-sib-config_1.0.0_611781.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\fontext.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\ModsSource\[email protected] C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Sonata\Windows Information Bar.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Cursors\aero_nesw.cur C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Garden\Windows Logoff Sound.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Mods\64\windhawk-mod-shim.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\SmartScreenSettings.exe.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Cursors\aero_ew.cur C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Raga\Windows Logoff Sound.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Wallpaper\Windows\Harmony.jpg C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Symbols\twinui.pcshell.pdb\136C29961CF30C574958362491C73CFC1\twinui.pcshell.pdb C:\Windows\Revert8Plus\sym.exe N/A
File created C:\Windows\Revert8Plus\Cursors\aero_move.cur C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\gameux\tr-tr\gameux7.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Calligraphy\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Raga\Windows Navigation Start.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Savanna\Windows Logoff Sound.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Sonata\Windows Default.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\1.5.1\32\windhawk.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Windows\Windows Error.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-vista-sib-loader_1.0.0_238877.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\UserAccountControlSettings.exe.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\devmgr.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Windows\Windows Recycle.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Styles\W7Basic-W11\shell\NormalColor\en-US\shellstyle.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Symbols\uxtheme.pdb\CFE07DF3A2489E01E6F8D4D9196EA0AF1\uxtheme.pdb C:\Windows\Revert8Plus\sym.exe N/A
File created C:\Windows\Revert8Plus\Engine\1.5.1\32\symsrv.yes C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\batmeter.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\sr-Latn-CS\recovery.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Delta\Windows Hardware Insert.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Resources\Themes\r8p-vista-Default.theme C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\CPL\bthprops.cpl C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\ModsSource\[email protected] C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Styles\W7Dark2-W11\shell\NormalColor\en-US\shellstyle.dll.mui C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Mods\32\local@r8p-w7-sib-loader_1.0.0_352950.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\ModsWritable\W7Icons\SmartScreenSettings.exe.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\ModsSource\[email protected] C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\SoundSchemes\Festival\Windows User Account Control.wav C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Wallpaper\Landscapes\1.jpg C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
File created C:\Windows\Revert8Plus\Engine\Mods\64\local@r8p-w7-accent-color-sync_1.53_198080.dll C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windhawk\Windhawk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windhawk\Windhawk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\ProgramData\Windhawk\Windhawk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\ProgramData\Windhawk\Windhawk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\ProgramData\Windhawk\Windhawk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile C:\Windows\system32\winlogon.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\ProgramData\Windhawk\Windhawk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\ProgramData\Windhawk\Windhawk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\ProgramData\Windhawk\Windhawk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\ProgramData\Windhawk\Windhawk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-30579" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\Command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\runas\Command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6}\ = "ProfileNotifyHandler Class" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Extended C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command\DelegateExecute = "{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\CopyPath\Extended C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\Instance\InitPropertyBag\ResourceID = "1001" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\MuiVerb = "@twinui.dll,-1321" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties\Command C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133773441497184451" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ShellFolder\Attributes = "672137216" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\MuiVerb = "@shell32.dll,-32960" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2e7583c7-7eba-4a1a-8468-d03d28477e6f}\InProcServer32\ = "%SystemRoot%\\Revert8Plus\\Engine\\ModsWritable\\gameux\\migration\\gameuxmig.dll" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c71c41f1-ddad-42dc-a8fc-f5bfc61df958}\InProcServer32 C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\ShellFolder\Attributes = "2684354560" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\InprocServer32\ = "C:\\Windows\\Revert8Plus\\Engine\\ModsWritable\\gameux\\gameux7.dll" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Open\Command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\Command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\InprocServer32\ = "@%SystemRoot%\\Revert8Plus\\R8PCPL.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E7B2FB72-D728-49B3-A5F2-18EBF5F1349E} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE695-542D-46F6-AEAB-FA2F1B2102D3}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Command C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BA}\ShellFolder\Attributes = "2684354560" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\ShellFolder\Attributes = "2684354560" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F382DA49-9148-4a22-AF78-C378DFC32D02}\ = "MS_InstalledGameProv Class" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{865e5e76-ad83-4dca-a109-50dc2113ce9b}\ = "StartIsBack All Programs Folder" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ = "C:\\ProgramData\\Windhawk\\Engine\\ModsWritable\\StartIsBack64.dll" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c9} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Properties C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\ = "Taskbar Pin" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99E2B362-3E4E-4255-9B29-41A7F40777BB}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5C31EC8-C5E6-4E07-957E-944DB4AAD85E}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1405D2-30CF-4877-8468-1EE1C52C759F}\ShellFolder\Attributes = "2684354560" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\OpenFolder\MuiVerb = "@shell32.dll,-32960" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\Position = "Bottom" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133773441517579107" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6}\InprocServer32\ = "C:\\Windows\\Revert8Plus\\Engine\\ModsWritable\\gameux\\gameux7.dll" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\Shell\Delete\SeparatorBefore = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\StartIsBack.ImmersiveApplication\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{542EEE1B-A254-46F7-B980-35BECF6076A4}\Instance\InitPropertyBag C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{709E2729-F883-441e-A877-ED3CEFC975E6}\InprocServer32 C:\Windows\system32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Windhawk\Windhawk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\Windhawk\Windhawk.exe N/A
N/A N/A C:\ProgramData\Windhawk\Windhawk.exe N/A
N/A N/A C:\ProgramData\Windhawk\Windhawk.exe N/A
N/A N/A C:\ProgramData\Windhawk\Windhawk.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\cmd.exe
PID 1052 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1052 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1052 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1052 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1052 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3232 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\regsvr32.exe
PID 3232 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\regsvr32.exe
PID 3232 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\SysWOW64\regsvr32.exe
PID 788 wrote to memory of 4176 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 788 wrote to memory of 4176 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3232 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 1832 wrote to memory of 2392 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 1832 wrote to memory of 2392 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 5004 wrote to memory of 4616 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 5004 wrote to memory of 4616 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 728 wrote to memory of 3552 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 728 wrote to memory of 3552 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 4228 wrote to memory of 4624 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 4228 wrote to memory of 4624 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 2500 wrote to memory of 1444 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 2500 wrote to memory of 1444 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 3232 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\r8p(4).exe C:\Windows\Revert8Plus\sym.exe
PID 5008 wrote to memory of 992 N/A C:\Windows\Revert8Plus\sym.exe C:\Windows\Revert8Plus\sym.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\r8p(4).exe

"C:\Users\Admin\AppData\Local\Temp\r8p(4).exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName|findstr .|findstr /v displayName|findstr /v /c:"Windows Defender"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Windows\SysWOW64\findstr.exe

findstr .

C:\Windows\SysWOW64\findstr.exe

findstr /v displayName

C:\Windows\SysWOW64\findstr.exe

findstr /v /c:"Windows Defender"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Add-MpPreference -ExclusionPath "C:\Windows\Revert8Plus";Add-MpPreference -ExclusionPath "C:\ProgramData\Windhawk";Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\Windows Aero";Add-MpPreference -ExclusionPath "C:\Windows\Temp\r8p.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Windows\Revert8Plus\R8PCPL.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Windows\Revert8Plus\R8PCPL.dll"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\dwm.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\gameux.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\redirection-vista.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\redirection-w7.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-vista.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-w7.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-w7basic.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\sib-w7classic.reg"

C:\Windows\system32\reg.exe

"C:\Windows\SysNative\reg.exe" import "C:\Windows\Revert8Plus\Registry\windhawk.reg"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ActionCenter.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ActionCenter.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\AltTab.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\AltTab.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ApplicationFrame.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ApplicationFrame.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\DUI70.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\DUI70.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\consent.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\consent.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\comctl32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\comctl32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\comctl32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\comctl32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\dwmcore.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\dwmcore.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\explorer.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\explorer.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\explorer.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\Revert8Plus\Engine\ModsWritable\explorer.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ExplorerFrame.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ExplorerFrame.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ExplorerFrame.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ExplorerFrame.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\pnidui.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\pnidui.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\shell32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\shell32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\shell32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\shell32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\SndVolSSO.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\SndVolSSO.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\stobject.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\stobject.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ThemeUI.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ThemeUI.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\timedate.cpl"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\timedate.cpl"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.pcshell.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.pcshell.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\twinui.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\uDWM.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\uDWM.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\user32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\user32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\user32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\user32.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UXInit.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UXInit.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UxTheme.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\UxTheme.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\van.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\van.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\Windows.Storage.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\Windows.Storage.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\Windows.Storage.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\Windows.Storage.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\winlogon.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\winlogon.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ntdll.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\ntdll.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ntdll.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\SysWOW64\ntdll.dll"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\sndvol.exe"

C:\Windows\Revert8Plus\sym.exe

"C:\Windows\Revert8Plus\sym.exe" "C:\Windows\Revert8Plus\Engine\Symbols" "C:\Windows\System32\sndvol.exe"

C:\ProgramData\Windhawk\Windhawk.exe

"C:\ProgramData\Windhawk\Windhawk.exe" -service

C:\Windows\system32\rundll32.exe

rundll32 C:\programdata\Windhawk\Engine\ModsWritable\OpenGlassDComp.dll,StartupService

C:\ProgramData\Windhawk\Windhawk.exe

"C:\ProgramData\Windhawk\Windhawk.exe" -tray-only

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa39cc855 /state1:0x41c64e6d

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000134 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000128 0000008c

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000e0 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000110 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000f8 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000100 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000104 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000c0 0000008c

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000f8 0000008c

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /R /T

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard57.blob.core.windows.net tcp
US 8.8.8.8:53 219.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.194.209.20.in-addr.arpa udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.116.33:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.116.33:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.79.68:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.79.68:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.38.228:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.38.228:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.38.228:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.79.68:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.79.68:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.38.228:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.117.33:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.116.33:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.117.33:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.194.1:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.209.117.33:443 vsblobprodscussu5shard51.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.70.36:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.79.68:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 20.150.38.228:443 vsblobprodscussu5shard61.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.150.38.228:443 vsblobprodscussu5shard61.blob.core.windows.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\nsExec.dll

MD5 b4579bc396ace8cafd9e825ff63fe244
SHA1 32a87ed28a510e3b3c06a451d1f3d0ba9faf8d9c
SHA256 01e72332362345c415a7edcb366d6a1b52be9ac6e946fb9da49785c140ba1a4b
SHA512 3a76e0e259a0ca12275fed922ce6e01bdfd9e33ba85973e80101b8025ef9243f5e32461a113bbcc6aa75e40894bb5d3a42d6b21045517b6b3cf12d76b4cfa36a

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\Aero.dll

MD5 0cb4305037fdbb31b1763beed3564f7f
SHA1 b584fd7ebffc331b2a08c6c7c74ed1193f3fa22d
SHA256 4f8ac32dd2cca85f9a018eb6a29bf0405af41a725a8a6ff6a7429704feef8d7b
SHA512 e85449f23ac1742b59fb5299737cfdc1c0aae79c0c247f47fcc7887c433d085087d23e7bb521b9f63e470772e0b5e1e3b3afb9b9244f12b425d43d5205a21a4c

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

memory/2396-26-0x0000000002ED0000-0x0000000002F06000-memory.dmp

memory/2396-27-0x00000000058C0000-0x0000000005EEA000-memory.dmp

memory/2396-28-0x0000000006060000-0x0000000006082000-memory.dmp

memory/2396-29-0x0000000006100000-0x0000000006166000-memory.dmp

memory/2396-30-0x0000000006170000-0x00000000061D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fa2czqvs.ynm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2396-39-0x00000000061E0000-0x0000000006537000-memory.dmp

memory/2396-40-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/2396-41-0x0000000006720000-0x000000000676C000-memory.dmp

memory/2396-42-0x0000000006CC0000-0x0000000006CF4000-memory.dmp

memory/2396-43-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/2396-52-0x00000000076B0000-0x00000000076CE000-memory.dmp

memory/2396-53-0x00000000078E0000-0x0000000007984000-memory.dmp

memory/2396-54-0x0000000008060000-0x00000000086DA000-memory.dmp

memory/2396-55-0x0000000007A20000-0x0000000007A3A000-memory.dmp

memory/2396-56-0x0000000007A90000-0x0000000007A9A000-memory.dmp

memory/2396-57-0x0000000007CC0000-0x0000000007D56000-memory.dmp

memory/2396-58-0x0000000007C30000-0x0000000007C41000-memory.dmp

memory/2396-59-0x0000000007C70000-0x0000000007C7E000-memory.dmp

memory/2396-60-0x0000000007C80000-0x0000000007C95000-memory.dmp

memory/2396-61-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/2396-62-0x0000000007D60000-0x0000000007D68000-memory.dmp

C:\Windows\Revert8Plus\SoundSchemes\Delta\Desktop.ini

MD5 794f1975f13b0fb6c554d96006237cad
SHA1 4a3989d06826b5e8ed30325e3a2527f62de6ae5d
SHA256 b77586f906749b00246a8d8ce73e48ea42ac69355524afe3b1183e1ac6d8d201
SHA512 c4e91baea7b0621765c5da6254be846acef4f90570950e02c8ca733b255afc5ee1ec3378ef479c6bf22205a780d22c5b14b264b55f5f471c66dbce7b84d332b5

C:\Windows\Revert8Plus\Styles\W7Basic-Redstone\shell\NormalColor\en-US\shellstyle.dll.mui

MD5 2f5484ed6bea507bf069407cd769c8c1
SHA1 843e91796049be18ae8f5be66a152199de4d712e
SHA256 339869ea975c67deef8afdaa6638b72b825f5899141fe68861aa4afd74cd516f
SHA512 9dfb8ed01fd231687ad8f1fe6ead0aa7b39542d1ee86a63ff44bab8d50f535397115ef338feb25b45c9f8ac8da4dd816af03c201b2a2163a39b8e87524d06bca

C:\Windows\Revert8Plus\Styles\W7Dark2-Redstone\shell\NormalColor\shellstyle.dll

MD5 24216c145d6aaf56d8de25acb32b5416
SHA1 d4f8a4a60e4f38a7d1be3e499d606f18fd417045
SHA256 c9a11ffbdda45340a8f48740b6f562950e57bee0c05e10a8978d1a3b93380f82
SHA512 01346babee37e3ec1df171a13fe5de008554dbb682c7a407852ded255378225328cde2f313de6e04f5113d486ff2f7efd2b88184b09fd9c3a40fb041f3f78a15

C:\Windows\Revert8Plus\R8PCPL.dll

MD5 9bc0cbdd5ced816678151377a42e00cb
SHA1 e04bdf76726e73f405b4dbf532c016640ab4d1f7
SHA256 fdf1cb7a110f91774cad71d8b3ff1ee97300f147b1d5c7ac4ff859aa00ee8129
SHA512 ad3d646679b8bf1465bc68edd0ac98a0f8460577153bfb77dea165c320ab41108c679ff8802bbf9c0ea4712bde8cc2a4f6b67e92a547db40bf97c0473dc7d2ad

C:\Windows\Revert8Plus\Registry\dwm.reg

MD5 084d6f8d6d84f6bae01e5fd19e3bab5f
SHA1 8c201fed61ddaac7397c479e61b9d71705486ebe
SHA256 01a2e20064c0dc81dfb2b521cb9fbd0172770ae5a4be15882fbb7b6b9024ab39
SHA512 edf5b96839ac3c8acdd86d0a6ce7c216938c1bb4c992d934d72b6842c0796c4a4add29d60ed42c2f840007e661302ae617cad8e84c50b4ce54704b0dd013cb99

C:\Windows\Revert8Plus\Registry\gameux.reg

MD5 62dfef91a9940c3a27bb3afc4a5bf503
SHA1 92230f525e36e83a80b76a2ab9516cc0c20303ba
SHA256 14b1a0a326034e9cc1c8e51d5a21742674cb98bce9156b2b71310c222697cfee
SHA512 6c51c7730e1bad54dfecb38e70c16dac2b9ff5cef91ce650544e02c98d07633999c0f7a95dd6648dfd632a493c55df3a94542162a21b8a4aff15c08ff6473a43

C:\Windows\Revert8Plus\Registry\redirection-vista.reg

MD5 5e505435dc4a098c95a18c5e0b14dfb1
SHA1 f4dd63f5e877b440d54474c3bbce44bf0a13697f
SHA256 014a1e2cd005ccbba2aed41576180fe84d8eddca81f65ce5a5b798e9c2c59113
SHA512 df6c11996f3101f5434727cb11aa7a5e4bf5e8aaaeeaa5ea85b36dd6d89cf7fcfd8d30b4ad7e8c1fe5231bfcebf4afe4beb998c46aa6b01bc400cd956bb8914a

C:\Windows\Revert8Plus\Registry\redirection-w7.reg

MD5 0cc60dc4933463c382ca38c41a2ca3eb
SHA1 6c88399d35aaffcab1161a41239e16cd02c98eb9
SHA256 274373cd8acd0a5359441581a0b3aa201aaf6a1d749ef1d21f1dadd55ff55535
SHA512 1831dd415a5c11a02e79d76daf2261ab1a0b036b1f14345dd51c5d0106839c541af52d3b896382a3f5370b9d979563fb771669176a0cbd78bfeff8724e5bafa9

C:\Windows\Revert8Plus\Registry\sib-vista.reg

MD5 8dbfa54c810f4a14808707d66dd5393c
SHA1 6b76560baa11cfdc17a70858fb8c5514d8aa5be1
SHA256 3064ad7deb064ff74e9661c7f1f6cac69e9ccb7a47df9aceab08f8b6152eda65
SHA512 5bac15d5f0efdbba3bf19cb7f6451323347425b4fbcaaddea0058a95a40b2b6183cc8a3c5d34cd32502f9ece544492c7d10e0c8693ca53e8389df6c1d953fa51

C:\Windows\Revert8Plus\Registry\sib-w7.reg

MD5 58bd812a391d8e6b714e21a36c6c865f
SHA1 970c806b8f5166a8118fb58502a96b7e8f720bc8
SHA256 3ce433616d9122698acb564136d326a0eebde754f55055c6a7b1343d0ab2cac7
SHA512 de46270e52ae391fff8b7c5efdec02eb8246fd1d6de8e8ad98b979c7159dba16c763affead11ed50024faa951dcebfca9950f12242ee05c5f0d75fc7e8d22f18

C:\Windows\Revert8Plus\Registry\sib-w7basic.reg

MD5 5e7d57b25bd06fe5229edd612ed69717
SHA1 4c79a5e063848f161c14f92cca8093e8227ff659
SHA256 1b99af9870dcb0d5d5495296a95e0c1f39aefa31489b2800eb3ac687bd772c8b
SHA512 3a6dc479e5eef84d09ce73a2728a37c349deb689fdfd7b0f52e0fd28094e864132daa95172e2a1d5a9772671834dc064896bbb16e81059c3d1db439a7d706da9

C:\Windows\Revert8Plus\Registry\sib-w7classic.reg

MD5 daceeae7152ac7d010259e7f0ea10191
SHA1 3e334d90da21f6dd721e6d0ea5a3c63f5000e2fd
SHA256 12461bc0333e57b101dfc9155963e54029331350da019da3438619854748bf3a
SHA512 612924353018270eeb18173dc8b416fa8c98a61710c9da1801102da9cc72e7d151625e0962738955ade74bbe20d31d1111ae77cd6e3a3cc387cac0466d9d7871

C:\Windows\Revert8Plus\Registry\windhawk.reg

MD5 d7b8bf5339a26e604bf4e3cebe0ff388
SHA1 e5d1d680159e61759aa731a4cb5758f97204c275
SHA256 647b074d9681da3e507905c85863ab10844010b746ab09ec74e5ab96c20af2a5
SHA512 55cb70db10c0cc82bf0800123c4aed967f07fdc9478c5b827c66a5a81d3bf44555f0f58c0507fe198f7329118af7e3b8c825b919f8b6362b44af4800fc4bfbc5

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\AccessControl.dll

MD5 d74bb4447af48da081c7d9b499f3a023
SHA1 dadf6e140e6fd8e49a1851cc144bb022e0adb185
SHA256 5fd5d8aec97cffaad9b7df6371b348d436cf1401e86fab614dc4cb8575428e52
SHA512 9a15de5c6b08914f5e5bbc1c318fb0e84da28a316cf51ccddca8dfb64cd67b7ad06acac307b41d5086a0740055d327007ff890807d6853bb2e767179a3b3d758

C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\WorkFoldersControl.dll

MD5 0b3671b005ac881485e2403317f6ecb4
SHA1 59eafb7fc980821448dd0f1c91f4cc2368f41442
SHA256 2bf8d40a495dba2825b1048cd75062602a719d95cb987582b639cdbc49c3ead5
SHA512 142b60909f8725112c8434e3c04b41632a6098bbe06809938b08bcc5b4cb11ec48770d22c8594421edab5ae18705494e9fe93266630351e3d0ee30979ba8bb82

C:\Windows\Revert8Plus\Engine\Symbols\warning.txt

MD5 4d1464c9e110731186b6c0cf91545869
SHA1 3f4c55f1821f58081582439aad9502213fc2c691
SHA256 a7b4e19743c9c96ab15d1a5ede861301e6baccf426c6e7637c0b8bd0ba3f98b0
SHA512 f5b74abdcb0dfe0169f7464f8fb833fa804c7f3e4dea4ecd0a0a7a8e2f859bb20ca1afb9bd394b929f48adc76a88387f870d3a9fe5f3fd823029ac52876126b1

memory/3232-1326-0x00000000029A0000-0x0000000002ABC000-memory.dmp

C:\Windows\Revert8Plus\sym.exe

MD5 31e6cde417b805fefaa58afd59715161
SHA1 0d6202b37f0cb0534876099a5ed1426e4c0f1a0d
SHA256 a3d83b63326cfcdc66a9e7078e8515732f198673652063a22498e96efbb597ef
SHA512 7fddc59eae04f0b211ce42e17261ef09301e697e005914ba86b5bc178ae2dae1218f17a4501144202feffcf74c80e34c0909cf5459a11422370d4c2e958f0df0

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\SimpleSC.dll

MD5 7b89329c6d8693fb2f6a4330100490a0
SHA1 851b605cdc1c390c4244db56659b6b9aa8abd22c
SHA256 1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d
SHA512 ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\SmartScreenSettings.exe.dll

MD5 13942db88d8f74e67289130fdf16e1b9
SHA1 8b66fb4ec6db6266a7ecc002027dba4ae00a5fc7
SHA256 1cb61978c9f4901bb107254030560bbd3e890e504178af49ea292bc6807c3fa5
SHA512 6b2fea11ed13d2140e7e0f16df7fa23c36eefdd7f0068bb19dd65d7a158754479aecae041843e8c862d5f73da787a0e4cf711e2df8dee2eae6d01ec3f1819e92

C:\Windows\Revert8Plus\Engine\ModsWritable\VistaIcons\ndadmin.exe.dll

MD5 fda58e7342584ef7b87e2c2823bcb385
SHA1 51e843ee176ad7afcf6d418f62fff9f474a1a32f
SHA256 974895ed81cf6454a1c4474b720791800f0e4c42160a573bb4ed37c6ef13a0b0
SHA512 580c53dd6f15e45b20f575e2a964bfbc43aa11a56536bc920c82f204821e11b40f656fa1b3d444a243ebccc784b73622f4a9eb92a0e17ac301a7fec2a49a42bd

C:\Users\Admin\AppData\Local\Temp\_MEI18322\python311.dll

MD5 d06da79bfd21bb355dc3e20e17d3776c
SHA1 610712e77f80d2507ffe85129bfeb1ff72fa38bf
SHA256 2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1
SHA512 e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

C:\Users\Admin\AppData\Local\Temp\_MEI18322\base_library.zip

MD5 6e706e4fa21d90109df6fce1b2595155
SHA1 5328dd26b361d36239facff79baca1bab426de68
SHA256 ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998
SHA512 c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_uuid.pyd

MD5 b21b864e357ccd72f35f2814bd1e6012
SHA1 2ff0740c26137c6a81b96099c1f5209db33ac56a
SHA256 ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53
SHA512 29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_ssl.pyd

MD5 e5b1a076e9828985ea8ea07d22c6abd0
SHA1 2a2827938a490cd847ea4e67e945deb4eef8cbb1
SHA256 591589dadc659d1ad4856d16cd25dc8e57eaa085bf68eb2929f8f93aba69db1b
SHA512 0afd20f581efb08a7943a1984e469f1587c96252e44b3a05ca3dfb6c7b8b9d1b9fd609e03a292de6ec63b6373aeacc822e30d550b2f2d35bf7bf8dd6fc11f54f

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_socket.pyd

MD5 485d998a2de412206f04fa028fe6ba90
SHA1 286e29d4f91a46171ba1e3c8229e6de94b499f1d
SHA256 8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76
SHA512 68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_lzma.pyd

MD5 3273720ddf2c5b75b072a1fb13476751
SHA1 5fe0a4f98e471eb801a57b8c987f0feb1781ca8b
SHA256 663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948
SHA512 919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_hashlib.pyd

MD5 ba682dfcdd600a4bb43a51a0d696a64c
SHA1 df85ad909e9641f8fcaa0f8f5622c88d904e9e20
SHA256 2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd
SHA512 79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636

C:\Users\Admin\AppData\Local\Temp\_MEI18322\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_decimal.pyd

MD5 e4e032221aca4033f9d730f19dc3b21a
SHA1 584a3b4bc26a323ce268a64aad90c746731f9a48
SHA256 23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c
SHA512 4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c

C:\Users\Admin\AppData\Local\Temp\_MEI18322\_bz2.pyd

MD5 37eace4b806b32f829de08db3803b707
SHA1 8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9
SHA256 1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b
SHA512 1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d

C:\Users\Admin\AppData\Local\Temp\_MEI18322\select.pyd

MD5 e07ae2f7f28305b81adfd256716ae8c6
SHA1 9222cd34c14a116e7b9b70a82f72fc523ef2b2f6
SHA256 fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c
SHA512 acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4

C:\Users\Admin\AppData\Local\Temp\_MEI18322\libssl-3.dll

MD5 19a2aba25456181d5fb572d88ac0e73e
SHA1 656ca8cdfc9c3a6379536e2027e93408851483db
SHA256 2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006
SHA512 df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

C:\Users\Admin\AppData\Local\Temp\_MEI18322\unicodedata.pyd

MD5 5cc36a5de45a2c16035ade016b4348eb
SHA1 35b159110e284b83b7065d2cff0b5ef4ccfa7bf1
SHA256 f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20
SHA512 9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1

C:\Users\Admin\AppData\Local\Temp\_MEI18322\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3232-1923-0x00000000007C0000-0x00000000008DC000-memory.dmp

memory/944-1935-0x0000000001780000-0x0000000001781000-memory.dmp

memory/832-1933-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

memory/816-1929-0x000000001F270000-0x000000001F271000-memory.dmp

memory/696-1927-0x0000000003F60000-0x0000000003F61000-memory.dmp

memory/640-1925-0x0000000008520000-0x0000000008521000-memory.dmp

memory/1004-1937-0x000000003C460000-0x000000003C461000-memory.dmp

memory/1120-1954-0x0000000011490000-0x0000000011491000-memory.dmp

memory/1104-1952-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/560-1948-0x0000000030450000-0x0000000030451000-memory.dmp

memory/472-1939-0x0000000018E00000-0x0000000018E01000-memory.dmp

memory/1028-1950-0x000000001BEB0000-0x000000001BEB1000-memory.dmp

memory/1324-1965-0x00000000005A0000-0x00000000005A1000-memory.dmp

memory/1216-1961-0x0000000026380000-0x0000000026381000-memory.dmp

memory/1164-1959-0x00000000226B0000-0x00000000226B1000-memory.dmp

memory/1148-1957-0x0000000033FD0000-0x0000000033FD1000-memory.dmp

memory/1288-1963-0x0000000012DC0000-0x0000000012DC1000-memory.dmp

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_472_local@r8p-w7basic-basic-themer

MD5 74e06930e5cf93604723de1cc4ff9294
SHA1 a723ad0a12a68c5d654e560b99b5c3b95568e3d6
SHA256 0330f7d59a2493099f64183a0252a1e6308dd4fb9bacabfb0ec7026f6605e12e
SHA512 52ead50e7efca4786ef6a3bad80792454c792464280ace788e98a38c04fa46bd50b4b4e3b0b88c5c75c84768d3b1c36574cd3426f18174d24111e4a3911f8ba8

memory/1436-1970-0x0000000027500000-0x0000000027501000-memory.dmp

memory/1488-1972-0x0000000003500000-0x0000000003501000-memory.dmp

memory/1692-1980-0x0000000010550000-0x0000000010551000-memory.dmp

memory/1656-1978-0x0000000010800000-0x0000000010801000-memory.dmp

memory/1588-1976-0x000000002DEE0000-0x000000002DEE1000-memory.dmp

memory/1572-1974-0x000000002B400000-0x000000002B401000-memory.dmp

memory/1960-1986-0x000000000D6B0000-0x000000000D6B1000-memory.dmp

memory/1792-1984-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/1768-1982-0x0000000021C40000-0x0000000021C41000-memory.dmp

memory/2036-1988-0x0000000039F50000-0x0000000039F51000-memory.dmp

memory/2044-1990-0x0000000016330000-0x0000000016331000-memory.dmp

memory/1904-1994-0x0000000037400000-0x0000000037401000-memory.dmp

memory/2108-1996-0x0000000001700000-0x0000000001701000-memory.dmp

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2648_local@r8p-vista-icon-resource-redirect

MD5 47ce5cc8ef5037c47e8329747291f58d
SHA1 1ff2f19a228f7aa5963d330e573bdcec4d9f6f02
SHA256 cf776aa95e30b00d8de42b7ff73240c2e649b5c5ce4011e66ce00384beb01860
SHA512 c6c98899f30a74940db95820440038c7dd9ee9ec1adf47fa2690526737e693355a16a6e4ef5f3e5e94f49b97cc099accf76c12d44178b695a4939262f66cabaf

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2704_local@r8p-vista-icon-resource-redirect

MD5 1d322b58ad45880eab1c25310f0de810
SHA1 c25a769b7028f1aaf4786737330b92cb59d2f50f
SHA256 52f9856bb2b529e49927c686d23ad1634244661767e407844bd3e9a5467fd853
SHA512 3b3d5a4fdea0b443f62f68314585c7a523bcfabbf8233938edc3118dc827ff750ca88b686cc1bcf0021f02c4854ceb17f55f739e40526ae521e34f4b3384d201

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3148_local@r8p-vista-icon-resource-redirect

MD5 d998d0750215b4cd033fbc188b3ed9d2
SHA1 d594c4e4d2cb2fc641cd3316dc6ee80b72580a42
SHA256 14f8c4fbf681f5d3e8fd82a4ce11e23fb84009305a728849cacfaa94a7d26eca
SHA512 f15695c6c4815e68ff40912b7a8a5d0ba0722e7f8c7ea4c7440ed1b1560c539b2ab014272baf45ce606d406cb7533be6b603069ad99aa9ce52f09c7511bcc783

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3984_local@r8p-uifile-override

MD5 3df4e77084d7b4a79705607b65cd2656
SHA1 c99333f9e1cd631056b94e6a9197c2e3682a28fb
SHA256 78cfefd5d7693e885c7ebb6a393e705a40360ec0cca6dce83acc2494066a4911
SHA512 fd219eac871b452f90b055ca5d53bcbd9bb61ff57ff5cf040287b5ef136506cd4d66e5894d2dedd86012cf613e654e84d617e2c7cfe8e9f02b856de00ab22991

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3232_local@r8p-vista-icon-resource-redirect

MD5 08af8ae25b5f2dc50ab38462bd6ea886
SHA1 5b36ac115e2493c17edd91ef40b5d17b509fa02a
SHA256 68eced46af34ce97d18052005a81282d09c6309bf305b7c2289add0d2f7359b4
SHA512 6249a7d9088bcf10402f1a23d140a3f94ebac18e1364e218e3f25cfd93b9a97ef1c6569facad9a595c549e8f4852abe372e946d2f3cd3906daacfa21cd48fdca

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_3356_local@r8p-uifile-override

MD5 b80e1ebba4bf2c77f0a236ab6a268a7b
SHA1 a004be8b8777f644bbe65f6897840724e67379a9
SHA256 294865f8297419983edf4cf2335641c9a0436ec621bb20e92ec1ecb753add7f6
SHA512 53e82251f847f2c4ac4c9daa955072e9de072eb1b5748c79595fe1c2c2b99a2efeb4bc04e5edaff0780c2692365c38c82052ccc68a18bdfd9b81d321e365bf96

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_1672_local@r8p-vista-icon-resource-redirect

MD5 b998b95f9374f7836d6582dc6bf316ff
SHA1 791be035cbf6c706879625182f32d46a7fad3ad6
SHA256 07dc662decee3bb8ce58a4bf3fc34152664288c3e64d76e63d6da4437fde5dbe
SHA512 612442e8f244a4a5d9aa2d57f1a66cca958a76b9344916b6a9bbc445a6090d372d3c2fab1ac6f4b0f94b84922f97a1784e672d2bdd8afaa3172b0e906dbde013

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2624_local@r8p-vista-icon-resource-redirect

MD5 078f277de088948e2586e45f86e25217
SHA1 0eb014f1eb984d89a51277f98e22a8855421c998
SHA256 16f557e11021a8fbdb6a73cd8daa276375817d095445196d0fc7281920c9bf24
SHA512 4aa8ef5d955fcde3d9d6130681051d1e9a3f61f47fdd7211874a9f025893465d6cc4b81b5f678c72e348be2e3bf0ed180645273970cec7917226fe5fb6a4adba

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_5100_local@r8p-vista-aerexplorer

MD5 375218198b6f516a5e585c2223869533
SHA1 59786939c3e3c865584a75c031a58271806a618f
SHA256 86b6c518c57ca13ee8af66c028cfc718e077da7bf0b1ca1c8326289e4a2b42e5
SHA512 0fb3c5db0bffc6da75fe34c9dbd8b3080aac84cd67d559fc24895f97e15ddd7062b46f3e43f827ef273d1e3ceac2194fb346a0e881b9c8879da1b4d2241aa785

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_4736_local@r8p-vista-sib-config

MD5 adb0c2841eac9f16b57b33092035cace
SHA1 136d7adde425ab8b94dd0d7281b1e9efed52ac3e
SHA256 9012fcb710b287804543e19f8354ff3f0dcc85e95db7735a7105c49a9e236376
SHA512 a00e8f5975226fd41006c163449c8be059d9746e2fba9e4216e62a933155867a92d1687d86e2c648ee2f40c75c431b34629b65fc66f585d92b264aaff41ed327

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_2304_local@r8p-vista-icon-resource-redirect

MD5 a6efba8a398206830ccc2af9d18abd06
SHA1 eed92b5d2cd22e437c5822963286b0c762fbe4a0
SHA256 b28224b97c811401c6539267eef9c5e4484ab6c12b120c5bd263e99151b90040
SHA512 3b910e8da85b23bd9284fd997f3079b12b77baecb7bbc7868d669ed75825f017255b751a747d250e5fc4b11d4103cf1ff213290c08481d0ceea4fb99e7990e92

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_1060_local@r8p-w7basic-dwm-unextend-frames

MD5 2754b0d71e29a7894c5ba16ccaddadf0
SHA1 b9bd604f9f7878d8543ae62161a23b997a840bac
SHA256 2b407f86596931bb23f3d2c03c3c013c6366749cee52450d629db488048fcc9f
SHA512 5b861b0f8f94d0d40a871919c379641c23e1fdd20d3b5268c6a96769165a7b5413865dc5ce9f6714404da78bd008f69201f99d253191de658ccb248df285778f

C:\Windows\Revert8Plus\Engine\ModsWritable\mod-task\5100_133773441462173777_4832_local@r8p-vista-icon-resource-redirect

MD5 f142390c58dcdff182ace07e3f9598ab
SHA1 36b158a5f004d9d4bc8238a227a5bc9b99f75f69
SHA256 f84b0ce448f2294bb1dff5f99a635e02733cec741d1571d8995e101e7e58eda3
SHA512 1d83ff4e118f839737cad54d599ed38d16c8bb6d93873ea947090b6908ca887ca79d0fb4983e8adfef810f541eebeb748d77ddc96f58a95e1f70fd32c19dfeab

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 ffdeea82ba4a5a65585103dd2a922dfe
SHA1 094c3794503245cc7dfa9e222d3504f449a5400b
SHA256 c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390
SHA512 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

C:\Windows\System32\perfc011.dat

MD5 5afbd30597a275ad6d5e98187742c01b
SHA1 4e9a82a388532a0fcb3671047504384e040b48a1
SHA256 26ee1d72642d1d79b307581e6027a259696d5e3299d9d6685153a68b8c58b61b
SHA512 6d2514d6a12809a7db4901b586b57e03b6e5b0cc4ecd1baeb4f5188ca033773f7ca077fa8e8beadcf82724fd16d9136c0fc252a0163b71a0ff0eae3363f2c0cf

C:\Windows\System32\perfh007.dat

MD5 3bd8043ff69087c78cf81f0aa082664f
SHA1 c669871201f05f6153dfa3f6a78d4609d818568e
SHA256 d1b8be34dfdff53435bcd3f176f7aa9f17aa8f1145c42edee1ed1eec9faf02b2
SHA512 a51d2bb5641aaff1ab091a1c331b6e515bb333d2dfa9f09662d35b2315e6fbd14932102167075cd8bdacf7c8f57fe7313f7b1639090070851c2ecf7662384d6d

C:\Windows\System32\perfc007.dat

MD5 6e71c59a539ba8c2d46c4c8f478edf8c
SHA1 868558341297d83b247f8be13b375541eb58b886
SHA256 4e4e1300a939cc5d58d0c6914410d5ad8eaf876571011fa1c6f0ce27bf59822d
SHA512 1a86ab970d99430334ba14cc14d75cb902f267e9e15019afcb64400ec6e4335adae3687a5916ccfec5fd0c82c89bfeeac2aed0c6aad693f35e7326f8fb158f9e

C:\Windows\System32\perfh00A.dat

MD5 ef8cce0162906b208cff1441fe71f927
SHA1 7a3f2d0dcb39698a6ec9190ea69f2ea01d76935e
SHA256 ba9df27d32c3fa43d6840146e28e5266908124efde25a4bf459d908c232a88a7
SHA512 35b3dbb9f5cd8b30aa0a26fdb29c562ae65ab9823ba477f082960a19d354a68729008e3c0cfce2f8cce66f6f5bab9fed7d6cbe62628c7a751bc4770a4560f5e8

C:\Windows\System32\perfc00A.dat

MD5 6c65a113c1d1dcbc5f7603db0134dcb7
SHA1 1eb93cc7aeb12860b63129a69b812b694748a816
SHA256 53d617778c1ba174c22b47fd2d84035aa28c58bdcab6c3f3224f3777d1d8e7ee
SHA512 67c438c141f7d6509db1d0bb17b312b66be8947a623580cc49fcb3000f7e402dda856ab1d422a68bbb25392d00902fef2bd31ce9cc491769205cdd7b31edf605

C:\Windows\System32\perfh009.dat

MD5 efeeda97e31eb12669293d78feaff451
SHA1 f3680730a9ed165f49be4a2b1be8477196f15afb
SHA256 a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834
SHA512 452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2

C:\Windows\System32\perfc010.dat

MD5 31f061dd23766fb40b15c9754bbc5a61
SHA1 1d6e9a4b87576e771c2c2157919236195aacf4d8
SHA256 2e69db7389943a3ed9aee54788510f229b1462c6281e2a3e54d8b7e83fa1a0df
SHA512 49af16e7d50be8025b3ecf6d4c965339ca4d4db29d3e606318c94f8f0e68d7914c57cb9ee78f5b8d35f5772c0b6e008b3196932785625019d28e6fe5d6ad7369

C:\Windows\System32\perfh011.dat

MD5 33cbb4d0e471fd527da2ded235fe9636
SHA1 aa9d9b062511eb38a1faf9a740f8fb709b02a7dd
SHA256 73174de99ccd45c2a8d818742ed313a55321186162005c0f2567e162954943a5
SHA512 a4c17182347bc3c5cce76562f26b27ac62e84c8589dd91d2840a452b6c593656f3d3a2fd5b7f207f32be0f5a0494bc44987fb70e6e8f3a756a0703df20baa93f

C:\Windows\System32\perfh010.dat

MD5 a583c28c05f94a635bd67fee2d905a27
SHA1 a4af858c69297cb8a59cade7da6e5a36b43e7548
SHA256 c70b892d93e93c37c826ba97459e8fb724e6c5cf6dc2288613430fc59c0c1eb0
SHA512 06626f291b69e044e8e44fa46576c0287e4df434cd07b0bdb1b162fed25ddef652e5ad8d08d984f2d7d4c027c8ee032eef485f7269f0a83e11c1fa61f80a5d67

C:\Windows\System32\perfh00C.dat

MD5 f5fd5898bda4a68842ec6c6a9088adec
SHA1 f974a58b258b438e79eb4bea3ae54a91f516a10a
SHA256 e962a408ff9a789b92bc1429637cb30e00fc47bfa3b06a7fd7b22646e1f5b872
SHA512 932e551597139b85b4faecfa9156e7e98d33b5dad4bd6f4c40504ced7b032c8fed223b81f056654a75c66a8326c51b28fef102ad55d5b224722f90c778b6ed98

C:\Windows\System32\perfc00C.dat

MD5 ac22e4ddfcafca323b25a78120008e1d
SHA1 1a22e811a017e48900633aaf28c8e3d0f647dcfb
SHA256 4ce9124ff763431485fd5dd8d2725f9baed086e9b94513f6ba7337ffe6f13308
SHA512 c1cd3db4455cd599ba8ce9e735a75622fdc6d7dca02409bdb1af00e2c47559191f64414a011bbfa11990eb7d0e67ec10edd8bdba9fdcb06ad3b4cb784f6d1bcf

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

145s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\Shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\Shell\NormalColor\en-US\shellstyle.dll,#1

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\Shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-Redstone\Shell\NormalColor\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

146s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\Shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\Shell\NormalColor\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

82s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Basic-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1

Network

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

84s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-Redstone\shell\NormalColor\en-US\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

84s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\shell\NormalColor\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\W7Dark2-W11\shell\NormalColor\shellstyle.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:53

Platform

win11-20241007-en

Max time kernel

150s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4884 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4884 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 3860 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 3860 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1072 wrote to memory of 3860 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3860 wrote to memory of 3260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3860 wrote to memory of 3260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3860 wrote to memory of 3260 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3260 wrote to memory of 2444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3260 wrote to memory of 2444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3260 wrote to memory of 2444 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 1908 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 1460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 1460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1908 wrote to memory of 1460 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1460 wrote to memory of 3540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1460 wrote to memory of 3540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1460 wrote to memory of 3540 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 3856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 3856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3540 wrote to memory of 3856 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3856 wrote to memory of 4988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3856 wrote to memory of 4988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3856 wrote to memory of 4988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4988 wrote to memory of 336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4988 wrote to memory of 336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4988 wrote to memory of 336 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 336 wrote to memory of 236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 236 wrote to memory of 5072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 236 wrote to memory of 5072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 236 wrote to memory of 5072 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 3512 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 4376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 4376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3512 wrote to memory of 4376 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4376 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4376 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4376 wrote to memory of 3040 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 4268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 4268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3040 wrote to memory of 4268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 4740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 4740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 4740 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4740 wrote to memory of 2212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4740 wrote to memory of 2212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4740 wrote to memory of 2212 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2212 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2124 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4632 wrote to memory of 2472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4632 wrote to memory of 2472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4632 wrote to memory of 2472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2472 wrote to memory of 4560 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\duires.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-29 08:48

Reported

2024-11-29 08:54

Platform

win11-20241007-en

Max time kernel

82s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\Shell\NormalColor\en-US\shellstyle.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Styles\Vista-W11\Shell\NormalColor\en-US\shellstyle.dll,#1

Network

Files

N/A