435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33

General

Target

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
Size

225KB
MD5

e86b3398333384aaffd32c1444dde9d0
SHA1

4ed7e2362fb149e5d5c3a261400f1e6e6f04628d
SHA256

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33
SHA512

eb9c20f2610d2ff008dd3d7a0596ef5ada56b2c121bf635eb8247a049b829f947b0a514c0052399e47662a526325b3b9e8c916c009f42d5279e90040a28932ec
SSDEEP

3072:dieIAGyEGGmgvevzpxBt0uZ8z43gBVN2qvI6vQF5ovTsno:d5qedM43wVN2g3gno

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\HideWrite.tif => C:\Users\Admin\Pictures\HideWrite.tif.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\NewUse.png => C:\Users\Admin\Pictures\NewUse.png.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\ReadUninstall.png => C:\Users\Admin\Pictures\ReadUninstall.png.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectDebug.tiff	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Pictures\DenyPush.tiff	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\DenyPush.tiff => C:\Users\Admin\Pictures\DenyPush.tiff.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\PublishEdit.raw => C:\Users\Admin\Pictures\PublishEdit.raw.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\RegisterExpand.tif => C:\Users\Admin\Pictures\RegisterExpand.tif.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Pictures\StartSet.tiff	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\StartSet.tiff => C:\Users\Admin\Pictures\StartSet.tiff.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\SubmitSet.raw => C:\Users\Admin\Pictures\SubmitSet.raw.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectDebug.tiff => C:\Users\Admin\Pictures\UnprotectDebug.tiff.MEOW	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

Drops startup file 1 IoCs

Processes:

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 31 IoCs

Processes:

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_selected_18.svg	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_18.svg	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files\Microsoft Office\root\loc\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\ui-strings.js	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\minimalist.dotx	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\ui-strings.js	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\duplicate.svg	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cs.pak.DATA	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int.gif	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_auditreport_18.svg	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files (x86)\Google\Update\Offline\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\readme.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\ui-strings.js	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

pid	process
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1584	vssvc.exe
Token: SeRestorePrivilege	1584	vssvc.exe
Token: SeAuditPrivilege	1584	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.execmd.exe

description	pid	process	target process
PID 2864 wrote to memory of 3764	2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe	cmd.exe
PID 2864 wrote to memory of 3764	2864	435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe	cmd.exe
PID 3764 wrote to memory of 1520	3764	cmd.exe	WMIC.exe
PID 3764 wrote to memory of 1520	3764	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe
"C:\Users\Admin\AppData\Local\Temp\435a917a2ad1adbe35e97247d7c2dc0d50be12b2d1a311d5b2a7b28dd315fc33.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E606EB0-4116-41A1-A4CE-B21AE923D4EA}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E606EB0-4116-41A1-A4CE-B21AE923D4EA}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1520-133-0x0000000000000000-mapping.dmp

Download
memory/3764-132-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads