shell.bin.zip

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

shell.bin.exe

Filesize

403KB

Completed

20-10-2020 18:26

Score

5 ^/10

MD5

4c64b7afcf85249f09da741c700eabb1

SHA1

18286de90456e26005c346430d1891522a8b985b

SHA256

644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f

Suspicious use of SetThreadContext
shell.bin.exe

Reported IOCs

description pid process target process

PID 3984 set thread context of 3980 3984 shell.bin.exe shell.bin.exe

description	pid	process	target process
PID 3984 set thread context of 3980	3984	shell.bin.exe	shell.bin.exe

Drops file in Program Files directory

shell.bin.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-129.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Contrast-black\MapsSmallTile.scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-ms.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\resources.pri	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\um_16x11.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-80.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\Platform\CONFIG\Modules\org-netbeans-modules-autoupdate-cli.xml.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-30_altform-unplated.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-100.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\Contrast-black\OneNoteSectionLargeTile.scale-150.png	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\Fonts\private\BOOKOSB.TTF.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sx_16x11.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-100.png	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\slide_in.wav	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\fingerscrossed.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg4_thumb.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\Platform\Modules\Locale\org-openide-loaders_ja.jar	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_10h.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\LargeTile.scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Contrast-black\HxMailAppList.targetsize-40_altform-unplated.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ul-oob.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\AppxManifest.xml	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\Icons\date-span-16.png.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\Platform\Modules\org-netbeans-modules-keyring-impl.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\Modules\com-sun-tools-visualvm-attach.jar	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-oob.xrm-ms	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\StarClub\Help_3_2.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\microsoft shared\Office16\DataModel\Cartridges\as90.xsl.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\klondike\Tips_4.jpg	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\klondike_icon.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Contrast-black\StoreWideTile.scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Contrast-black\LinkedInboxBadge.scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7989_20x20x32.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\MedTile.scale-100.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\12.rsrc	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\Assets\Icons\Delete.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-400.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsBadge.scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6924_20x20x32.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Light.scale-400.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\SnapPerfectRibbon.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.contrast-white_scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-64.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireAppList.targetsize-20_altform-unplated.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Light.scale-140.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-256.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\Features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-256.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ca_60x42.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated_contrast-white.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\na_60x42.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-colorize.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\2px.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\AutumnDeck4.jpg	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sl_16x11.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\SmallTile.scale-100.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\Platform\Modules\org-netbeans-modules-options-api.jar	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\CubeTile_contrast-black.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\Features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\Security\javaws.policy.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\Platform\Modules\Locale\org-netbeans-api-search_ja.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tiles\pyramid.jpg	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Deal\New-Deal-up.mobile.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\dailyChallenge_bp_920.jpg	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-200.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\images\PrintAndShare\Glyph_0xecd2.png	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.bak.32aa	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms	shell.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\microsoft shared\GRPHFLT\MS.PNG.32aa	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Contrast-black\Icon.targetsize-16.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\Common\First_One’s_Free_.png	shell.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\OneConnectLargeTile.scale-100.png	shell.bin.exe

Suspicious use of AdjustPrivilegeToken

shell.bin.exeshell.bin.exe

Reported IOCs

description	pid	process
Token: SeDebugPrivilege	3984	shell.bin.exe
Token: SeDebugPrivilege	3980	shell.bin.exe
Token: SeDebugPrivilege	3980	shell.bin.exe
Token: SeDebugPrivilege	3980	shell.bin.exe

Suspicious use of WriteProcessMemory

shell.bin.exe

Reported IOCs

description	pid	process	target process
PID 3984 wrote to memory of 3980	3984	shell.bin.exe	shell.bin.exe
PID 3984 wrote to memory of 3980	3984	shell.bin.exe	shell.bin.exe
PID 3984 wrote to memory of 3980	3984	shell.bin.exe	shell.bin.exe
PID 3984 wrote to memory of 3980	3984	shell.bin.exe	shell.bin.exe

C:\Users\Admin\AppData\Local\Temp\shell.bin.exe

"C:\Users\Admin\AppData\Local\Temp\shell.bin.exe"

Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:3984

C:\Users\Admin\AppData\Local\Temp\shell.bin.exe

C:\Users\Admin\AppData\Local\Temp\shell.bin.exe

Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken

PID:3980

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/3980-0-0x00000000004014E0-mapping.dmp
Download

shell.bin.zip

Filter: none

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title