asyncrat | f989ddf3ad9954b4c903af0e3a72a10c7727882bcba27d744b29c243df43516c

Analysis

max time kernel
110s
max time network
95s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27/02/2025, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lossless scaling.zip
Size

5.6MB
MD5

e5e78617aefb2291b0f2d7eb8a7778c2
SHA1

1669eb4bb944754c2d7ee37d482ba93487ba7193
SHA256

f989ddf3ad9954b4c903af0e3a72a10c7727882bcba27d744b29c243df43516c
SHA512

3f8421b9a94a06d54f6e38f786e81644e6ec9c24ee25e19121b3f8ae2ac9262cc4f20d508f6579d53b772026a936f318d2626753f3e850624d21ff92d4aa58d8
SSDEEP

98304:CMp9p80wyXWSimVm1r3W+q2sGNZqyKbPAoGYD6uRnmGuglGW/DnDUxoulB:JsdYWSZ9+hLqRbPnD6qPuz+4

Score

10^/10

asyncrat default defense_evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

mhmad1.accesscam.org:404

aliweq.ddnsgeek.com:404

mhmad1.work.gd:404

Mutex

MaterxMutex_Egypt404

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3696	powershell.exe
1456	powershell.exe
2600	powershell.exe
3852	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1956	LosslessScaling.exe
1768	RAR.exe
4296	dismhost.exe

Loads dropped DLL 20 IoCs

pid	Process
1956	LosslessScaling.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cmd.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Lossless Scaling\bg\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\zh-TW\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lossless.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lan.vbs	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Licenses.txt	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\pl\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\pt-PT\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\vi\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lossless Scaling.lnk	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ar\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ro\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\zh-CN\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fa\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\es-ES\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\pt-BR\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ko\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\config.ini	powershell.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\Colors	LosslessScaling.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2684	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4540	schtasks.exe
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3696	powershell.exe
3696	powershell.exe
1456	powershell.exe
1456	powershell.exe
1956	LosslessScaling.exe
1956	LosslessScaling.exe
1456	powershell.exe
1456	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4920	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4920	7zFM.exe
Token: 35	4920	7zFM.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1956	LosslessScaling.exe
Token: SeIncreaseQuotaPrivilege	1456	powershell.exe
Token: SeSecurityPrivilege	1456	powershell.exe
Token: SeTakeOwnershipPrivilege	1456	powershell.exe
Token: SeLoadDriverPrivilege	1456	powershell.exe
Token: SeSystemProfilePrivilege	1456	powershell.exe
Token: SeSystemtimePrivilege	1456	powershell.exe
Token: SeProfSingleProcessPrivilege	1456	powershell.exe
Token: SeIncBasePriorityPrivilege	1456	powershell.exe
Token: SeCreatePagefilePrivilege	1456	powershell.exe
Token: SeBackupPrivilege	1456	powershell.exe
Token: SeRestorePrivilege	1456	powershell.exe
Token: SeShutdownPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeSystemEnvironmentPrivilege	1456	powershell.exe
Token: SeRemoteShutdownPrivilege	1456	powershell.exe
Token: SeUndockPrivilege	1456	powershell.exe
Token: SeManageVolumePrivilege	1456	powershell.exe
Token: 33	1456	powershell.exe
Token: 34	1456	powershell.exe
Token: 35	1456	powershell.exe
Token: 36	1456	powershell.exe
Token: SeIncreaseQuotaPrivilege	1456	powershell.exe
Token: SeSecurityPrivilege	1456	powershell.exe
Token: SeTakeOwnershipPrivilege	1456	powershell.exe
Token: SeLoadDriverPrivilege	1456	powershell.exe
Token: SeSystemProfilePrivilege	1456	powershell.exe
Token: SeSystemtimePrivilege	1456	powershell.exe
Token: SeProfSingleProcessPrivilege	1456	powershell.exe
Token: SeIncBasePriorityPrivilege	1456	powershell.exe
Token: SeCreatePagefilePrivilege	1456	powershell.exe
Token: SeBackupPrivilege	1456	powershell.exe
Token: SeRestorePrivilege	1456	powershell.exe
Token: SeShutdownPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeSystemEnvironmentPrivilege	1456	powershell.exe
Token: SeRemoteShutdownPrivilege	1456	powershell.exe
Token: SeUndockPrivilege	1456	powershell.exe
Token: SeManageVolumePrivilege	1456	powershell.exe
Token: 33	1456	powershell.exe
Token: 34	1456	powershell.exe
Token: 35	1456	powershell.exe
Token: 36	1456	powershell.exe
Token: SeIncreaseQuotaPrivilege	1456	powershell.exe
Token: SeSecurityPrivilege	1456	powershell.exe
Token: SeTakeOwnershipPrivilege	1456	powershell.exe
Token: SeLoadDriverPrivilege	1456	powershell.exe
Token: SeSystemProfilePrivilege	1456	powershell.exe
Token: SeSystemtimePrivilege	1456	powershell.exe
Token: SeProfSingleProcessPrivilege	1456	powershell.exe
Token: SeIncBasePriorityPrivilege	1456	powershell.exe
Token: SeCreatePagefilePrivilege	1456	powershell.exe
Token: SeBackupPrivilege	1456	powershell.exe
Token: SeRestorePrivilege	1456	powershell.exe
Token: SeShutdownPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeSystemEnvironmentPrivilege	1456	powershell.exe
Token: SeRemoteShutdownPrivilege	1456	powershell.exe
Token: SeUndockPrivilege	1456	powershell.exe
Token: SeManageVolumePrivilege	1456	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	LosslessScaling.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 5076	736	cmd.exe	103
PID 736 wrote to memory of 5076	736	cmd.exe	103
PID 5076 wrote to memory of 3000	5076	net.exe	104
PID 5076 wrote to memory of 3000	5076	net.exe	104
PID 736 wrote to memory of 3696	736	cmd.exe	105
PID 736 wrote to memory of 3696	736	cmd.exe	105
PID 3696 wrote to memory of 1456	3696	powershell.exe	106
PID 3696 wrote to memory of 1456	3696	powershell.exe	106
PID 1456 wrote to memory of 2684	1456	powershell.exe	107
PID 1456 wrote to memory of 2684	1456	powershell.exe	107
PID 1456 wrote to memory of 1956	1456	powershell.exe	108
PID 1456 wrote to memory of 1956	1456	powershell.exe	108
PID 1456 wrote to memory of 4716	1456	powershell.exe	112
PID 1456 wrote to memory of 4716	1456	powershell.exe	112
PID 1456 wrote to memory of 2440	1456	powershell.exe	113
PID 1456 wrote to memory of 2440	1456	powershell.exe	113
PID 1456 wrote to memory of 1768	1456	powershell.exe	114
PID 1456 wrote to memory of 1768	1456	powershell.exe	114
PID 1456 wrote to memory of 4964	1456	powershell.exe	116
PID 1456 wrote to memory of 4964	1456	powershell.exe	116
PID 1456 wrote to memory of 4772	1456	powershell.exe	117
PID 1456 wrote to memory of 4772	1456	powershell.exe	117
PID 1456 wrote to memory of 1704	1456	powershell.exe	118
PID 1456 wrote to memory of 1704	1456	powershell.exe	118
PID 4772 wrote to memory of 2600	4772	WScript.exe	119
PID 4772 wrote to memory of 2600	4772	WScript.exe	119
PID 4964 wrote to memory of 3852	4964	WScript.exe	121
PID 4964 wrote to memory of 3852	4964	WScript.exe	121
PID 1456 wrote to memory of 1252	1456	powershell.exe	123
PID 1456 wrote to memory of 1252	1456	powershell.exe	123
PID 1456 wrote to memory of 4264	1456	powershell.exe	124
PID 1456 wrote to memory of 4264	1456	powershell.exe	124
PID 4264 wrote to memory of 4296	4264	Dism.exe	125
PID 4264 wrote to memory of 4296	4264	Dism.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\lossless scaling.zip"
1⤵
PID:3948

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""D:\install + Crack.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
    3⤵
    - UAC bypass
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2684
  - - C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
      "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1956
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn administrator
      4⤵
      PID:4716
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:2440
  - - C:\Users\Public\IObitUnlocker\RAR.exe
      "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
      4⤵
      Executes dropped EXE
      PID:1768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:5028
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:2036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:3148
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:100
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn administrator /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4540
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:1704
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1252
  - - C:\Windows\system32\Dism.exe
      "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
      4⤵
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\dismhost.exe {85FAF77A-5A08-4796-A31E-BF5A0F269CD4}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4296

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lossless Scaling\Lossless.dll

Filesize
4.3MB

MD5
7969a2cbc4c31ccfb1ab8213f19501b9

SHA1
06a24af6e922ba2cd7fccb76ce2f43271a9af8b6

SHA256
486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68

SHA512
935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa

Download Submit
C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe

Filesize
953KB

MD5
2c98d33096e97094cbbbd19f27f40883

SHA1
7e28af9d119d2658f962e3b28140c6081be1612b

SHA256
010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6

SHA512
f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7

Download Submit
C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

Filesize
2KB

MD5
45fed0a3bcbc889ca99d0c5943210e7e

SHA1
602584366a413cb9ae459b6c3231190cd787241e

SHA256
9812fe8104a86e693d6baa02a4cdb56ea9a4aedb500b050346eb5ec6bda8dd09

SHA512
d0728fcce9484daedb2c9552ee2a818f7cccbeb1e9bca24a1c4fc1ca6e8c181c46cdc89670bfee3d6ad219ea6f69750bd03f776af4f9e4667872c66c11dbd255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b591c1a300d7d03e9b2d26f3b16bd5e0

SHA1
e0ab3e1174b706b4febf716f6f18a29dfa7a741a

SHA256
2684f2a69e97cdb52b953484129633c5a44b38fc8154edcff7a8c9248d7f5efe

SHA512
e9a2e85622470c609dd0c640620d3a7c59261960b533f31d02181e7c09b6d693e8bd7521850dcfd0e5c30da95862679948ad5a45536be166fc9a504d474c0e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d576ef0632de90f6c7bd6a7d90ed750d

SHA1
2651719b5f980a86782c175ead518f9e7d36ad80

SHA256
3a7056be0950628cc588b965a8d4e03a90c65edb389dd4d0f2e8d582c3970497

SHA512
6a25856101ac7eacdbb83004f994f70b7a92a548554b09b108cac4c491639188883620a69aa468497b0041a4f0028f34fdb935da3435cd2295222000935b6a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\AppxProvider.dll

Filesize
574KB

MD5
eb9cbac1aa278b6a8afdb95a9feb4dcc

SHA1
9f12442d4cab56ab451d3954783632f77be7f8e4

SHA256
1bf704107250f4c08fdf2c450d4ab402ba5317a8c026cddf98c0ce225f487d4c

SHA512
ea86c2360622401aa61c8932571df2dbf6c5fcc438d5b1048d61cfe9542cba0b74c1454dced6a13a7cd20fbbe5cbaa0b1432b8e4a6feb6702fd0b7cc37b436f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\AssocProvider.dll

Filesize
113KB

MD5
b7db592706d3eefbcf0d5a166d462e56

SHA1
935123fda68594f0c52a765c4bbf468e4458189f

SHA256
de21321272862e7c332e1724dc315f06f3abe7a0340e61d351cab208d6bbf059

SHA512
91a1529db5816695c4424eaf71923ec63430b872cb1e179b6fa63c84acf0ac94baf71f39217f6c28818cd74fcad954a29f1e2efe655c5a0353f7aafdf8740f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\CbsProvider.dll

Filesize
918KB

MD5
57a9a702d5f51b625a869cb6ac0ede0f

SHA1
e5db4003f5a82ea666bbd70083edcb9ca38446b4

SHA256
b19a6d57b76593369e7e06cbcc5bcfd03e18adaa3934fd59c8705213fb5779ee

SHA512
818420f8196f964a2998b1176e87399f3d473237112b877c4e5662b3f601f8492fec3ec2ecd39822bfa12134cc2dd85ddc9e1409ea15ae6b58d8021c69840a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\DismCorePS.dll

Filesize
187KB

MD5
35a07968ec37231249f3f072ae555e3a

SHA1
a6b5be5daff384d24e68c7d3d540e9edd1e95ce8

SHA256
e5f25e5a170cb3d165c3d143eae967b96ab80f88fb09176da8591b0b68c77e00

SHA512
4806377c40eb0604410bf4760a3bf3ed99a1506af023977f6ad04090d790818034f8ffaeb6f51cf3a16a2109e0f567ddf5d182a50468481a2ed9adb2fe899261

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\DismHost.exe

Filesize
143KB

MD5
97cb1e2fcab378421c4b91df0c9f8310

SHA1
1227ce5f3a75bbbcba54708fcf73a131b0887a29

SHA256
e36bcf02bc11f560761e943d0fad37417078f6cbb473f85c72fcbc89e2600c58

SHA512
1b4668daacbebbe79bedc508f81f0e5ff0545c5823f05c7a403f4e8eb58bbf866f975b8e41a9148f6455243fe180c1afa32cd6b337f7d73ba0cbdf00f7e32de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\DismProv.dll

Filesize
256KB

MD5
ab0dbc4f05b33eaaa447e31accab8d21

SHA1
7064962fbc7e1fdf0cbb13a44e587e28168cd299

SHA256
6a3c3f07bddbc3079873f8799f2c19adddc59f15d6b2dba6e9314e5626bfd2a0

SHA512
a4fea2a0d5a9da86cc1f3868882a4ac661581a77f57251ea073259e0421d6f047b9da7b19e3916a970d7ecda652b4d51d0e64c7ef5d59338eb209b580be85b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\DmiProvider.dll

Filesize
416KB

MD5
0c2e5696f987350b0ae36e692d10ffb2

SHA1
31b0eb2cca497dc532a61bcefe1813641049a0e6

SHA256
52fd26a88d386b906cd1034df69618195e98a3a2743fe4aa185c461b24d5eba3

SHA512
1f20c7002fec8cd7395a93e204f6b3bd33ea4b2d693cd0b04554ab6ffe6458505289c92914bfb56850f5ba43bc60be3a436f6a7b0268dcd8542ca767b2d5cf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\GenericProvider.dll

Filesize
150KB

MD5
972025e2a66cb9a86173223c70ef5421

SHA1
aea2430707dd822904b5762d3e3d9dcc4ca0bab0

SHA256
ba683e9cf490d59aa1092e9f29196d6b48702ce8913d19f167870907ff50c424

SHA512
27e45bda0e699b0cd660b1ccd5873238ab2137067dc3b595a67e8632812642edc6f06da9169f5e38152b921cef47924e75226655adf9b71f64e509a91879a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\IBSProvider.dll

Filesize
60KB

MD5
b5b8c30b6eadc678f37d865061684219

SHA1
c78dc8160d7f0d794d6a156d9194f16314a0a361

SHA256
f1bcba5928da73db1a78355afd4cedb8d66e09d28fcfa6ae75112c5e10b0d841

SHA512
de2b7c5a03298a467152a8adc308c4355ca420438b96035083d524b2058daec9d2434eb62d329f747eb9768af8324a306d1e257005df7ddc2ff093a73068e06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\IntlProvider.dll

Filesize
297KB

MD5
18d4bd2bc601dbd4ca32e46f052fd152

SHA1
c0c04c30b9248c06a4f488d7921e1067518f2a2f

SHA256
207c51a4acfb244f05804b54c4d4f71fd5de4745434e40c969d888a4109677df

SHA512
583993ab11f59a4f0a3ff00382323f2ecec735ad8ed55d4ba388ea4e661edec99f4f7f9914b826dfd5ed21a24af719a4e0bdff6b5fc10dd08be21fcbab627394

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\LogProvider.dll

Filesize
78KB

MD5
1176e91f4f663b03515b4d944dcdd72b

SHA1
fa341a412720fd79fe1e1f6e11d850a4e103871d

SHA256
a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258

SHA512
c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\MsiProvider.dll

Filesize
208KB

MD5
0655a77306506895e5d3b5e7dbc833e0

SHA1
51087449d02fb42c948a1f53735bed1ccedd1ad8

SHA256
bfac469b3bfe0dc5419059d889eabb2ab1bdf1a6298a6de743cf0f189a48c679

SHA512
dab8ce18208670e720927f3d6bc317cb81b72c6ca95a92e637d9e19bec4666b3607747bbb3f0ef7285a41c49a26c2a52fb225224ece22aff391f89df2f9df61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\OSProvider.dll

Filesize
150KB

MD5
684fca651758ba405144d5fcab6ab7fe

SHA1
da595c60fbc4336fd2c61b45384dc0dbc3bf599a

SHA256
ae9b66a6e0b1949890241c67037cef2c59d4f4faef84849789e0fee9184f41c6

SHA512
4f8a9c524dd4e0f2a2f6f67a1ce42a7e9590fc5715f9538d8e0c7ff0c67d4bcbe10318bebd6328ee29c6c3b9842d0e176da7e663a88d9ecdec8c6404571c3756

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\OfflineSetupProvider.dll

Filesize
183KB

MD5
db1c840507ea36d04d8f8f503804daad

SHA1
990152a67191059ac486074f0a50b97b840bd8e3

SHA256
23fac2578e222a023c7b67186d67070518c17f08a6c39644fbef76293751efc4

SHA512
90da4d328c27f1379f7f9e65019aa242e1899b1a2a5f9626f08aeea020b8f46583878891b8a73b4c555e381f1e8f8c5be5c54dce2d7a2498c2e3a40c8abcb5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\ProvProvider.dll

Filesize
754KB

MD5
5d7572a7a3724966cf940465ac6e4fbe

SHA1
cab0fdc627744e0f3d99dcc1ca8e8c1b9309301a

SHA256
2d3af1a4c4733d01c46ab82cb7e8ff0392db91db207ca9437a956c9bc5e2186a

SHA512
fc8fe42a23f1c4dca3205c63b22e8717f03c51307267367e0334e1326e47055abbb4738d003bf3340d3a15365c2625c2b791b3a083128e15d37398aaaa969e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\SetupPlatformProvider.dll

Filesize
160KB

MD5
c35697a1ce80b310b670c2aec0c0234f

SHA1
0b4c0bf45f008c09aa51d0152390b4d198df2eb4

SHA256
1467d5059e367ca56a80fc7f169d8f562026f7020e64f12b97a6ee94f92f086d

SHA512
17d8c5ddc72dc7eadd6ece79f432b03fec38e6f494f65318326fc1aef64b52ad2658c29583f7f5b15a11c45102917cec57e8f08828d3a7a97aab508f53e3c5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\SmiProvider.dll

Filesize
276KB

MD5
97e089eec3c6898bd4159c39853f0dc2

SHA1
ffd3d226ba179abac9d2b24d9081aae1f9c42326

SHA256
bea12ec326503df121ea00e2ab05235d5c89f7040e7481f723acd62feb92f319

SHA512
1ddc5fc98ed3daa5e279693e850e99c14f04b216bbec3460422b29b30085ef2003d0519add06ced7640ff6e14ee3aa0000ebe093bb6da4e40ae34b0fba676f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\SysprepProvider.dll

Filesize
779KB

MD5
d2b254097ee4c8d3d87e6b450e38e8a6

SHA1
2fb26e509ca4261e660ee8f1da1a0e9db12925bd

SHA256
663d8e04f20c8ff6256e680e57cdc738cfc3cf7564ec5f507493dd5ddc72b27c

SHA512
6fbdbc93fc565f1882ad1ba4996eec35510d67330330e2421c86df41284d97293a0d25034c228e0f2430e727125499522be6572adaef1ff31ee3499f9f573654

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\TransmogProvider.dll

Filesize
1.3MB

MD5
e60476d1585d1388e6e1761ad1fde0b4

SHA1
18422195c4ffca0e8ba54d81fbe8500096acacd1

SHA256
d9bb6d4e87c1d869a2a8e03d2b0e5ddfeb086207f10d6c559a939f644d31af88

SHA512
0ee8a343b37c0b61a9f112689d9428978db997a217b8057a6932fab806968ccd63c5560f19895b50c9a01d57588e574a5308ed06d7f57ca37c2f8d51fed2a8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFB82188-E039-4AB4-BE21-FEAD2894CA32\UnattendProvider.dll

Filesize
229KB

MD5
4fa1ca63b1f8fe59d6074ca92fad82d2

SHA1
9da8e65c3196984544db3197cf0b554a8e800a8d

SHA256
201ea386a50b5d4317a66c1889c669ffd2e545a2531e33806aa00605f8852a52

SHA512
9d1a44b1f09a28c91edd7b727abbabbc57b7b72cc2e00973eda8d1af2861d1128be09fd8ffa43dd5a0d163010bba7da58285384e889259121dc772d8bf3b464b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lnzmse3q.a54.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\IObitUnlocker\Backup.vbs

Filesize
308B

MD5
59fca3c2fb6da0d16e0a280716e2f3ed

SHA1
dd01f82572e31875faa044c0152e48cc818ba5f3

SHA256
55e4fbd4febcf1db761a8f8732484998993b439bae2200f982d81ed35d55265d

SHA512
47caacc37ec8ae4c13120f713a35282da72e50dc7d2cdc6c50b1f96a07626d5db9e8c6d5822d8810c7a5096c476e737d8f7845e6fce23bbf39df7cad52938883

Download Submit
C:\Users\Public\IObitUnlocker\Loader.vbs

Filesize
308B

MD5
2993b76e0b0ba015caf654881638a0c0

SHA1
7fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd

SHA256
0e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3

SHA512
a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb

Download Submit
C:\Users\Public\IObitUnlocker\RAR.exe

Filesize
629KB

MD5
d3e9f98155c0faab869ccc74fb5e8a1e

SHA1
8e4feaad1d43306fdd8aa66efa443bca7afde710

SHA256
3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b

SHA512
2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d

Download Submit
C:\Users\Public\IObitUnlocker\Report.ps1

Filesize
458KB

MD5
7fbb868518f65c9e9151d7af6ecacd15

SHA1
0a3b60ba2562ffe3957ccd23c2a6d75879a2f2ac

SHA256
c41c3cd2a9ef8193529dcecfacd34e3fcb8f7086c2f5a4ee8f550454c5078b33

SHA512
09496d08c57fa404b44a0197a295743081fbaa1b385d440744cd40ad90cb348f1b46c737e737d83ed47e3926d342423a5210e8da27e14f7e849e9c3ff0500906

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.2MB

MD5
b7c39d16053606b1845199f30be33c2f

SHA1
44d196f808b1d7e94578d906ec2167d5d662c3da

SHA256
6e084cfd988d621e7e1763743fb7bde63a76ce28db075570f6a3ff4708f69bee

SHA512
73a0d6e2211c116e0332f4fab32b8181d639e8b8067de5bcd25d5bfcb98ffbec56177e93c6663a7384b1b17231522fe27fc92b6a4b21a402b34bb5eb43737506

Download Submit
memory/1956-23-0x0000020612160000-0x0000020612168000-memory.dmp

Filesize
32KB

Download
memory/1956-22-0x000002062C200000-0x000002062C226000-memory.dmp

Filesize
152KB

Download
memory/1956-29-0x000002062F3F0000-0x000002062F428000-memory.dmp

Filesize
224KB

Download
memory/1956-28-0x000002062F470000-0x000002062F52A000-memory.dmp

Filesize
744KB

Download
memory/1956-27-0x000002062F300000-0x000002062F3B2000-memory.dmp

Filesize
712KB

Download
memory/1956-24-0x00000206121A0000-0x00000206121AA000-memory.dmp

Filesize
40KB

Download
memory/1956-30-0x0000020630A50000-0x0000020630A58000-memory.dmp

Filesize
32KB

Download
memory/1956-20-0x0000020611C50000-0x0000020611D44000-memory.dmp

Filesize
976KB

Download
memory/1956-32-0x0000020630370000-0x000002063037E000-memory.dmp

Filesize
56KB

Download
memory/1956-21-0x000002062C430000-0x000002062C516000-memory.dmp

Filesize
920KB

Download
memory/3148-115-0x0000000006000000-0x00000000065A6000-memory.dmp

Filesize
5.6MB

Download
memory/3148-116-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3696-5-0x000002B4A51B0000-0x000002B4A51D2000-memory.dmp

Filesize
136KB

Download
memory/3852-103-0x0000020A70DB0000-0x0000020A70DBA000-memory.dmp

Filesize
40KB

Download
memory/5028-104-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download