Malware Analysis Report

2025-05-28 16:41

Sample ID 230628-e2xxwagc73
Target Appfuscator.exe
SHA256 f4e196c0538f09394df20b15acbe61b2bf5e19e249e7109a1a0a46708630ecf0
Tags
agilenet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4e196c0538f09394df20b15acbe61b2bf5e19e249e7109a1a0a46708630ecf0

Threat Level: Known bad

The file Appfuscator.exe was found to be: Known bad.

Malicious Activity Summary

agilenet

Blocklisted process makes network request

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-28 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-28 04:26

Reported

2023-06-28 04:28

Platform

win10v2004-20230621-en

Max time kernel

68s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI358D.tmp N/A
N/A N/A C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\66 Bit\Appfuscator\unins000.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\blacklist_ips.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7z.sfx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\hr.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sw.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\readme.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ast.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\et.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\lv.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7-zip32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\el.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\uz.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\AppFuscator.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ru.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\pt.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\uz-cyrl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\af.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\nb.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tk.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tt.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\Mono.Cecil.Mdb.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\Newtonsoft.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\io.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sk.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tr.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\zh-cn.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\fi.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\lij.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\StackTraceDecoder.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\AgileDotNet.VMRuntime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\cy.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\be.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\gl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ta.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7zG.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ar.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ga.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7z.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\va.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ku.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\tg.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\7zCon.sfx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\is.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sv.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\tmp C:\Windows\System32\cmd.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\bg.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\hi.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\nl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\kaa.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ko.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\mn.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sl.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\sq.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\uk.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ca.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ja.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\mr.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\vi.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\unins000.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\co.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\fur.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\eo.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\66 Bit\Appfuscator\install\7-Zip\Lang\ext.txt C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5724ff.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI358D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2E1A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI25B8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI26F2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI279F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI281D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5724fd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2741.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5724fd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{D2AB51B9-BC7C-4B86-86AD-C9FACBF7E2FF} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b3688a723d11638b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b3688a720000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff000000000700010000680900b3688a72000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff000000000700010000680919b3688a72000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b3688a7200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9B15BA2DC7CB68B468DA9CAFBC7F2EFF C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\66 Bit\\Appfuscator 1.0.0\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\PackageCode = "DD93875DCE0BDDA4CAA5C3F508A25CDD" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\PackageName = "Appfuscator.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\ProductName = "Appfuscator" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3F4E04C6571ADA54C916A8E3702B037B C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\66 Bit\\Appfuscator 1.0.0\\install\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3F4E04C6571ADA54C916A8E3702B037B\9B15BA2DC7CB68B468DA9CAFBC7F2EFF C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B15BA2DC7CB68B468DA9CAFBC7F2EFF\SourceList\Media\1 = "Disk1;Disk1" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 1132 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 968 wrote to memory of 1132 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 968 wrote to memory of 1132 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe
PID 1056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe
PID 1056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe
PID 968 wrote to memory of 4120 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 968 wrote to memory of 4120 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 968 wrote to memory of 4192 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 968 wrote to memory of 4192 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 968 wrote to memory of 4192 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 968 wrote to memory of 2324 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI358D.tmp
PID 968 wrote to memory of 2324 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI358D.tmp
PID 968 wrote to memory of 2324 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI358D.tmp
PID 3388 wrote to memory of 1432 N/A C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe C:\Windows\system32\cscript.exe
PID 3388 wrote to memory of 1432 N/A C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe C:\Windows\system32\cscript.exe
PID 1432 wrote to memory of 1972 N/A C:\Windows\system32\cscript.exe C:\Windows\System32\cmd.exe
PID 1432 wrote to memory of 1972 N/A C:\Windows\system32\cscript.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1972 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1972 wrote to memory of 3816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1972 wrote to memory of 3816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1972 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 3576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 3576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1972 wrote to memory of 3600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 3600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1972 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 1972 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 3144 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 3144 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 116 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 116 wrote to memory of 3264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe

"C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 736DF2E233828BC946CD8E7B5A52B5F9 C

C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe

"C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe" /i "C:\Users\Admin\AppData\Roaming\66 Bit\Appfuscator 1.0.0\install\Appfuscator.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\66 Bit\Appfuscator" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Appfuscator" SECONDSEQUENCE="1" CLIENTPROCESSID="1056" CHAINERUIPROCESSID="1056Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_DETECTED_DOTNET_VERSION="4.8" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1687685897 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Appfuscator.exe" AI_INSTALL="1"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85C37A87FB0F44A7DE273DEA18738F9D

C:\Windows\Installer\MSI358D.tmp

"C:\Windows\Installer\MSI358D.tmp" "C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe"

C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe

"C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe"

C:\Windows\system32\cscript.exe

"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\3827.tmp\3828.tmp\3829.vbs //Nologo

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start.bat

C:\Windows\system32\chcp.com

chcp.com 437

C:\Windows\system32\find.exe

find

C:\Windows\system32\findstr.exe

findstr /L /I set start.bat

C:\Windows\system32\findstr.exe

findstr /L /I goto start.bat

C:\Windows\system32\findstr.exe

findstr /L /I echo start.bat

C:\Windows\system32\findstr.exe

findstr /L /I pause start.bat

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\system32\find.exe

find

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c type tmp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ThunderboltDev/IP-BLACKLIST/main/blacklist_ips.js', 'blacklist_ips.js')"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org/

C:\Windows\system32\curl.exe

curl -s https://api.ipify.org/

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 95.101.74.151:443 assets.msn.com tcp
US 8.8.8.8:53 151.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 20.189.173.2:443 tcp
US 8.8.8.8:53 209.144.197.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.76:443 api.ipify.org tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 76.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\66 Bit\Appfuscator 1.0.0\install\Appfuscator.msi

MD5 cae6fc0dc02d3e1bdf8ec98058d38961
SHA1 0c40ac5bdbf8cc174387b64448c403dd488ca9a3
SHA256 dbebef05bba2265e1088f31cad22055519a98831e4d7cc476de0b59ac1db850d
SHA512 4fe95f993ea243d143c9e8450aa2e5ae5d3ad871a43b1191ee9e9f1b66315764e9643f20e9e7cc3b90e3818b39d302845380597e1da24c13c1646417cf3381e7

C:\Users\Admin\AppData\Local\Temp\MSI7814.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7814.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI79BB.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI79BB.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7A29.tmp

MD5 ae463676775a1dd0b7a28ddb265b4065
SHA1 dff64c17885c7628b22631a2cdc9da83e417d348
SHA256 83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512 e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

C:\Users\Admin\AppData\Local\Temp\MSI7A29.tmp

MD5 ae463676775a1dd0b7a28ddb265b4065
SHA1 dff64c17885c7628b22631a2cdc9da83e417d348
SHA256 83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512 e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

C:\Users\Admin\AppData\Local\Temp\MSI7B24.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Users\Admin\AppData\Local\Temp\MSI7B24.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Users\Admin\AppData\Local\Temp\MSI7BA2.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7BA2.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7BA2.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7C5F.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7C5F.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7CCD.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7CCD.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7D7A.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7D7A.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7DF8.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7DF8.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7E66.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7E66.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1056\background.jpg

MD5 e44aa8a6fd8fe28cbccba5c7ac953ece
SHA1 9f1a61efa8b244486261b9534c6a31fcf9a80a5b
SHA256 a3189e81acc8d34be118cc7a90d872ff0ea2e3e5acf39a586d40da052947b9b8
SHA512 2bf87d60d528277d5ed831e89fb513bd715b675151140062008e9596c77fa45c4c16f9de2982eee087c118e31a8cbaad81edf7a5ac8a147e20b65f8c0e92cb97

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1056\collecting.jpg

MD5 19244252d0d00807a8541a130f0b81ce
SHA1 e94e23f72f8b5bee03a9b601210a52074d770055
SHA256 88395e25f6a70825dd0f9a4a3c797c312f4f255b2263e55408ac3aeda5a9a898
SHA512 a133de2cc7dfe14d485bff54d0459554f2406e7868c9e564657b547195658847d3dec67826ff9345fe620c1a06ea72bee03be84f533eca01ffa197adcd805e7b

C:\Users\Admin\AppData\Local\Temp\MSI7FA0.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI7FA0.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI8435.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Users\Admin\AppData\Local\Temp\MSI8435.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Users\Admin\AppData\Local\Temp\MSI8474.tmp

MD5 ae463676775a1dd0b7a28ddb265b4065
SHA1 dff64c17885c7628b22631a2cdc9da83e417d348
SHA256 83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512 e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

C:\Users\Admin\AppData\Local\Temp\MSI8474.tmp

MD5 ae463676775a1dd0b7a28ddb265b4065
SHA1 dff64c17885c7628b22631a2cdc9da83e417d348
SHA256 83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22
SHA512 e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

C:\Users\Admin\AppData\Local\Temp\MSI856F.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI856F.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI85FD.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\MSI85FD.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1056\preparing.jpg

MD5 edf01acdb11a0071ac6ac088fe9bb757
SHA1 c4f9194f3bf351277e89680d02ed8ecb01090f22
SHA256 a0b679ae71e0f215b47275ab9e3b7012f3be2a89697761327f436d06d100aad0
SHA512 ac255d5dd8dfd577d7ed9c93f7936428a446d5e43ba6d5b38fb2feacce56df17bf7cfec916387d0746a0675c6aff1f18449060c7c1a6f587dd64bb591c5e4639

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1056\installing.jpg

MD5 312446694d487e701ef9e9aea5ec9923
SHA1 ba6b80126b86f05019da386cad2b7f5809008d66
SHA256 1b2aa68a43aa1ddc00428dd4dbbfff9e2e1407b24037301b6a3cce7976e8ae1e
SHA512 b3d25a94fa3e64c3688af4753a5cd31e65b77baefc063fe275882c2b948ff0c7ff052e1a6c2dea8024ba5a315610829ce96f9efe7862d0a217d920dcd87a5696

C:\Users\Admin\AppData\Roaming\66 Bit\Appfuscator 1.0.0\install\Appfuscator.msi

MD5 cae6fc0dc02d3e1bdf8ec98058d38961
SHA1 0c40ac5bdbf8cc174387b64448c403dd488ca9a3
SHA256 dbebef05bba2265e1088f31cad22055519a98831e4d7cc476de0b59ac1db850d
SHA512 4fe95f993ea243d143c9e8450aa2e5ae5d3ad871a43b1191ee9e9f1b66315764e9643f20e9e7cc3b90e3818b39d302845380597e1da24c13c1646417cf3381e7

C:\Users\Admin\AppData\Local\Temp\shiB432.tmp

MD5 77d6c08c6448071b47f02b41fa18ed37
SHA1 e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256 047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512 e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

C:\Windows\Installer\MSI25B8.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Windows\Installer\MSI25B8.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Windows\Installer\MSI26F2.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Windows\Installer\MSI26F2.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Windows\Installer\MSI2741.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Windows\Installer\MSI2741.tmp

MD5 c7fbd5ee98e32a77edf1156db3fca622
SHA1 3e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256 e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA512 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

C:\Windows\Installer\MSI279F.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Windows\Installer\MSI279F.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Windows\Installer\MSI279F.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Windows\Installer\MSI281D.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Windows\Installer\MSI281D.tmp

MD5 89136bfd28a2e1ec6b6d841214e1e670
SHA1 4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab
SHA256 1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec
SHA512 22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

C:\Users\Admin\AppData\Roaming\66 Bit\Appfuscator 1.0.0\install\Appfuscator1.cab

MD5 8eb71cfbdc7f27e7fa4ade0558f84223
SHA1 b07e4777de1601c5bdc80d954c0420ffcf0e86d4
SHA256 72122457db7c2e0c1f0c3be5f5d543e9bb118d9a08705a02813f7a4ab70e08b3
SHA512 28bbe3f65612e8c9d6ad187894d1ac4bc558dba47351276b2ad59484de1e9aeca3b4004cec34ee08a328a36d002334a6733d3436f096a750df22efe0f132333c

C:\Program Files (x86)\66 Bit\Appfuscator\AppFuscator.exe

MD5 89ec2c4a890612f94af5f3326d124f64
SHA1 e755f3488f67ccc05e16b97afb28d8f678a610fe
SHA256 3b763b3dc7aba74e5dcd01ed145d968340e435ce2ef99dd74b926cc5474850bd
SHA512 2d39c803ff3c6ce0ebeeb845cc5a4b7e70b257968fe0d898bdc8bd737b27af2b174953ce359c424c3ed471fe3da848149fd24db311c8f79368e87fc8d755bee2

C:\Config.Msi\e5724fe.rbs

MD5 376b4b04ec1756c5c8ab4ae0e37b1914
SHA1 165553d241f58800f8b5de77cf938e027281017b
SHA256 5119a1695fb33b4d9e07327975ddac12e94a2130f952ebbe85518e854296e242
SHA512 35598f57a13880b2ff39176e159622af48d9a4d5cabeb5b54412e579dea27153a83fcf677288a675ac171fa90d650ef0f4f1952a0dfd2523562103e4528cbe6f

C:\Windows\Installer\MSI358D.tmp

MD5 cac0eaeb267d81cf3fa968ee23a6af9d
SHA1 cf6ae8e44fb4949d5f0b01b110eaba49d39270a2
SHA256 f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774
SHA512 8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe

MD5 7a6de194d63809fc7b0732f12d6dee74
SHA1 4b0cdf9f5b7b14bc0cbaaf565d0304a8a3db7b2a
SHA256 7d8055116392af90129cf16479106bf7cf5fbdf7fe4c0a587c4fc21e0624b512
SHA512 4e9bfdd7a5f12d37b8afe6935d6009464c23b8c99250e9c9d67fb175752e3272f2f5824e051997c9b28a8070013c9c509229ee7c9cb3fc0dba1d02ebe03ddb80

C:\Program Files (x86)\66 Bit\Appfuscator\install\start.exe

MD5 7a6de194d63809fc7b0732f12d6dee74
SHA1 4b0cdf9f5b7b14bc0cbaaf565d0304a8a3db7b2a
SHA256 7d8055116392af90129cf16479106bf7cf5fbdf7fe4c0a587c4fc21e0624b512
SHA512 4e9bfdd7a5f12d37b8afe6935d6009464c23b8c99250e9c9d67fb175752e3272f2f5824e051997c9b28a8070013c9c509229ee7c9cb3fc0dba1d02ebe03ddb80

C:\Users\Admin\AppData\Local\Temp\3827.tmp\3828.tmp\3829.vbs

MD5 622702a8184ce7b3010c739cf1b3c2e3
SHA1 8d92f2d56457ac0a5fae8c9fdf6ce67c1968b9cf
SHA256 4fab6f499920f12918997b1bccf8eaff666cc58e1b187255679349a441a4212f
SHA512 5592bb76057d7ec724c889f30cdf4ff8ed056583f75041d2f69b9d94860869ee504ce0081da841f54fe95be9e4c9cbd88178e7246a3112a6cb29e1fb0255145a

C:\Program Files (x86)\66 Bit\Appfuscator\install\start.bat

MD5 981b7683267aa82c753b299c73678d16
SHA1 1f26363ecdfa1c2869e04731217ed295a1540416
SHA256 d5358a8db4e05cdb6ee39e4fdbf5919029e4873b55f7abe237e33032c6f15258
SHA512 23a688b21c9531f244c7171ad2a95dfd11e5dfb23ce1a0ac8a18b8dc1cf5f328887e00f4a816a9f7ec6bed82dbba5bf6cb452ed04d32621ad0206d2a2184c1f3

C:\Program Files (x86)\66 Bit\Appfuscator\install\tmp

MD5 ce585c6ba32ac17652d2345118536f9c
SHA1 be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256 589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512 d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

C:\Program Files (x86)\66 Bit\Appfuscator\install\tmp

MD5 ce585c6ba32ac17652d2345118536f9c
SHA1 be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256 589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512 d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

memory/3144-456-0x000001E0D4D60000-0x000001E0D4D82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3vs0ino.25c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3144-466-0x000001E0D3480000-0x000001E0D3490000-memory.dmp

memory/3144-467-0x000001E0D3480000-0x000001E0D3490000-memory.dmp

memory/3144-468-0x000001E0D3480000-0x000001E0D3490000-memory.dmp

memory/3144-472-0x000001E0D4DC0000-0x000001E0D4E08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1056\finalizing.jpg

MD5 94179c98977c0a563bbadda0b7a1604d
SHA1 17dd03928260883970c0bb1395ff52ccd1698ad9
SHA256 4d379f0e801aced6d12ece91619b219a52d0dd13bcb57e6c6f46ed689124fc83
SHA512 b7c42c966db0c9a079716ff4018a01746dfdc5e8e20a335682f61136374a2b7de0ab88f1585b5c1d900710288a1b501843f955712c018e6858feee5e24e90558

\??\Volume{728a68b3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3a9b5fe8-98b8-4eb7-92b0-72bb2f36d5ad}_OnDiskSnapshotProp

MD5 f8fc1b8e3261582e62f12a8237a302c0
SHA1 cb6864b6ad4e8c117ca137a7ef4d268ea42fe388
SHA256 84df8daf246ee8ba76dd7d062ffd9923ebb5d0c0ecb9585e78287c0fdf7ddeba
SHA512 c62e8b99e0eaace3ef34aa4867e111bd85c9aa8c98c47475a3ef311888f7cc69b611b11c9683e80ab3c8ee603a53f9b06145a5361e88fafc0e0139756033fb27

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 3327a85004ddbf3d24af55268176c78d
SHA1 0171e7d5b97e5aa14dbcde4c5de754c39c3bf38f
SHA256 3389d9f770c6fc8cadddf84d370e0b6ccf44f37b2dfa142a3655dcdecda50191
SHA512 7f864b9d9ab44d7619ba806c689e1195628ff7d994b99138cf4ed433e7f4eb367f393855b526cc31966d1f99e57db38d7d9b8c5aeb0626a8126211c392492fe5