Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
17-09-2020 17:13
Static task
static1
Behavioral task
behavioral1
Sample
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Resource
win7
Behavioral task
behavioral2
Sample
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Resource
win10v200722
General
-
Target
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
-
Size
2.4MB
-
MD5
a239735cddd49236ae3562d43d83a8e4
-
SHA1
35bad8d66c79af9dabdcdd8dcebfc0440efc42a1
-
SHA256
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c
-
SHA512
34bbfc20d82c4227f9e745f0f7cdb5ce68c684a4a84cde0340fa82601f9340fcb7d21c6060564be8580dcba8c3d1b5a16b28ab6964508e0d1ab994b59a818fef
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\HACKED.txt
smaug
http://smaugrwmaystthfxp72tlmdbrzlwdp2pxtpvtzvhkv5ppg3difiwonad.onion
https://paxful.com/
https://changelly.com/
https://www.bitcoindepot.com/
Signatures
-
Smaug
Ransomware-as-a-service first seen marketed on forums etc. in early 2020.
-
Drops file in Drivers directory 2 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 356 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_468bda717012acbd\Amd64\MSxpsPS-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrBAPSc0-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\MSDRM\MsoIrmProtector.ppt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\SecurityAndMaintenance.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\SecurityAndMaintenance_Alert.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\@WindowsUpdateToastIcon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxhb0-PipelineConfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlxclw.inf_amd64_7cbd66040de48539\LX-PCL-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saCP6-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Printing_Admin_Scripts\en-US\prnjobs.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\SystemResetPlatform\SystemResetPlugins.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF02-PIPELINECONFIG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXSA0-PipelineConfig.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\wpcmon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\@BackgroundAccessToastIcon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrBAPSm0-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrP6BAm0-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\spool\tools\Microsoft Print To PDF\MPDW_devmode_map.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0LXPM0-PipelineConfig.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Licenses\neutral\Volume\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\@bitlockertoastimage.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnfxcl2.inf_amd64_f26eeb7da72ee32b\fxpclcolor-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkycl1.inf_amd64_d830c6577c8a2c44\kyw8bidispm.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Sysprep\Panther\IE\diagwrn.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF08-PIPELINECONFIG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrOFPSm0-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Speech_OneCore\common\en-US\tokens_TTS_en-US.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\icsxml\osinfo.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnekcl2.inf_amd64_0a4ef5f40c1abe07\EK-PDL-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saacps.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\NdfEventView.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMM0D-PIPELINECONFIG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deCP6-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclfhb1-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlclw.inf_amd64_22943612af676c5d\DLclWB.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_468bda717012acbd\Amd64\MSxpsXPS-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\en-US\Licenses\OEM\Professional\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\license.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP\applets\IMJPCLST.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX7QPIPELINECONFIG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9SPIPELINECONFIG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_amd64_bb379132d2c203f7\Amd64\unishare-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saCPS-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclf1-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rctcpbidi.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\WindowsCodecsRaw.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXS80-PipelineConfig.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhpcl5.inf_amd64_d79d88c2b839182e\amd64\HP-PS3-pipelineConfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0SX240-PipelineConfig.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saacwsd.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\icsxml\potscfg.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DDFs\EnterpriseModernAppManagementDDF.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrFFPSc0-pipelineconfig.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\oobe\en-US\OOBE_HELP_Cortana_Learn_More.rtf.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF01-PIPELINECONFIG.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_faa2804656671550\MPDW-PDC.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms010.inf_amd64_708bc7360cbceaea\Amd64\MSECP.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnokcl2.inf_amd64_1e45a4f567fdae98\OKV4ClassSMP_0000.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Drops file in Program Files directory 11142 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\crown.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\WideTile.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\Buttons\Menu\Menu-press.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_48x48x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7205_24x24x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7656_20x20x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-unplated.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Ice_Castle_.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sm_60x42.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseEar.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\LoadIcon_contrast-black.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-125_contrast-black.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-36_altform-unplated_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\604_20x20x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_windowed.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10912_36x36x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorStoreLogo.scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\SmallTile.scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailSmallTile.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\AppStore_icon.svg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\13d.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pe_16x11.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-20.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SplashScreen\ArkadiumLogo.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.targetsize-256_altform-unplated.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3007_32x32x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\makeup.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\purmesh.jpg.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-240.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe -
Drops file in Windows directory 13899 IoCs
Processes:
cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exedescription ioc process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..main.assets.cortana_31bf3856ad364e35_10.0.15063.0_none_e7716ec01fa1cfed\xdevice.forward.targetsize-256_altform-unplated_contrast-black.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Logo.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobe-cortana-bow.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.15063.0_none_13cc520b866eaf57\oobecortana-main.html.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..trast-white.cortana_31bf3856ad364e35_10.0.15063.0_none_014ea5da0b60c418\AppListIcon.targetsize-20.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\SmallTile.scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square310x310Logo.contrast-white_scale-400.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..trast-white.cortana_31bf3856ad364e35_10.0.15063.0_none_c7203a9c4dfdf241\AppListIcon.targetsize-48.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\NewWindowIcon.scale-200_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.15063.0_none_5eb55a9a4356bc39\LocationIcon.contrast-white_scale-400.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Assets\Icons\custom-Cortana\AppListIcon.targetsize-40_altform-unplated.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..actsupport.appxmain_31bf3856ad364e35_10.0.15063.0_none_a5ca1360f9ef4c6d\Logo.scale-150_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\PLA\Rules\en-US\Rules.System.Configuration.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Assets\RemindersSplashScreen.contrast-white_scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-user-action-sounds_31bf3856ad364e35_10.0.15063.0_none_21212add0527099b\MoveNext_22050hz.raw.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-400.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.appxsetup_31bf3856ad364e35_10.0.15063.0_none_b45e7abf12575629\AppxManifest.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Assets\Square150x150.contrast-black_Scale-180.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Grammar\0c0a\PhonePCVoiceAgents.0c0a.cfg.gz.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Sounds\Camcorder_start_5.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_20x20x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\time.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\MiracastView\appxmanifest.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileSmallSquare.scale-200.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\yes.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\PreviewMailList.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Cloud.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Diamonds_are_Forever_Unearned_small.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-250.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.15063.0_none_224b97ad28ee338b\MicrosoftEdgeSquare44x44.targetsize-16_altform-unplated_contrast-black.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\x86_netfx4-cfx_core_sql_files_b03f5f7f11d50a3a_4.0.15552.17062_none_ee17823a4ff68608\SqlWorkflowInstanceStoreSchemaUpgrade.sql.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Applications\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c\AppxBlockMap.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\klondike\Mining_For_Gold_.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\ProjectionSpheric.scale-140.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\vo_60x42.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-400.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupLargeTile.scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\br_60x42.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-125.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\Media\chimes.wav.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.15063.0_none_0d07ce77359b6878\Square310x310Logo.contrast-black_scale-150.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-48.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Apply.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-black_scale-100.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3838_48x48x32.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe File opened for modification C:\Windows\SystemApps\ContactSupport_cw5n1h2txyewy\Assets\LargeTile.scale-200_contrast-black.png.d7fbc8fb-4ba8-4e28-bf84-d64cab96cc4c cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe"C:\Users\Admin\AppData\Local\Temp\cd49c58defedd1594ad6c93c1019385e171e10bede1995eecd74540debfd942c.exe"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3056