Analysis
-
max time kernel
129s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05/03/2022, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe
-
Size
10.4MB
-
MD5
42469bbd43954d8ed09b27899b25ffb0
-
SHA1
55fee15384316826fa1e5f8317ceda1adf1695d5
-
SHA256
eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936
-
SHA512
e4f1b7cb3c27bb99ab1e53c4466a1be9ce3a506af060416e08c917c33a5a75803a7329b2e085b8db5039567237c427ba006d3c8d80e795e5805e749504aa008c
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\README.txt
Ransom Note
hey Down!
Seems like you got hit by CoderWare ransomware!
warning: take a screenshot of this place. If you lose the information here, you'll never get to us. and it would be impossible to get your dosys
Don't Panic, you get have your files back!
CoderWare uses a basic encryption script to lock your files.This type of ransomware is known as CRYPTO.
You'll need a decryption key in order to unlock your files.
Your files will be deleted when the timer runs out, so you better hurry.You have 10 hours to find your key
When you pay >>> 1000$ <<< to the Bitcoin address below,
you will need to send a single as proof to our e-mail address,
and if the receipt is correct, your code to decrypt our files to your e-mail address. It will be sent back to you via e-mail.
But you have to be quick for that. Because you have 10 hours. If you do not pay within 10 hours, your files will be permanently deleted.
And it would be out of reach again. If you don't know how to get bitcoin.
https://buy.moonpay.io
can quickly get your credit or debit card online from the website.
Please type the bitcoin address shown on the screen in the wallet field on the website. If you try to shut it down by force,
you'll lose your dosys. because if you lose your bitcoin address,
you won't be able to pay. and you'll never get your files back.
email: [email protected]
bitcion Adress : 336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K
telegram : @Codersan
whatsap: +63 997 401 3126
Emails
Wallets
336Fvf8fRrpySwq8gsaWdf7gfuGm5FQi8K
Signatures
-
DemonWare
Ransomware first seen in mid-2020.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\gmreadme.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\AddConvert.png => C:\Users\Admin\Pictures\AddConvert.png.DEMON eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File renamed C:\Users\Admin\Pictures\OpenConvertFrom.png => C:\Users\Admin\Pictures\OpenConvertFrom.png.DEMON eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Loads dropped DLL 32 IoCs
pid Process 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dplaysvr.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\ktmutil.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\proquota.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\regsvr32.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\regedit.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\calc.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\chkntfs.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\curl.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\psr.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\SndVol.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\stordiag.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\find.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\fsquirt.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\ntprint.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\powercfg.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\sdbinst.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\SystemPropertiesComputerName.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\diskpart.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\iscsicli.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\poqexec.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\Register-CimProvider.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\fixmapi.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\Netplwiz.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\Taskmgr.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\rrinstaller.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\SecurityAndMaintenance_Error.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\write.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\appidtel.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\taskkill.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\wbem\WMIC.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\fc.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\Utilman.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\printui.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\resmon.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\Bthprops\@BthpropsNotificationLogo.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\at.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\certutil.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\dpapimig.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\perfmon.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\@EnrollmentToastIcon.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\mfpmp.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\sxstrace.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\xwizard.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\mmc.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\RmClient.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\typeperf.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\verclsid.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\dllhost.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\msfeedssync.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\rundll32.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\SyncHost.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\tar.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\wowreg32.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\bthudtask.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\compact.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\logman.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\mspaint.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\InstallShield\_isdel.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\recover.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SysWOW64\WerFaultSecure.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-125.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-400_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\7px.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Spider.Medium.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-64_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-125.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_36x36x32.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\LargeTile.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256_altform-lightunplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-60_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-100_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-16_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_search_for_friends_v1.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail-Dark.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-16_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\LargeTile.scale-125.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Outlook.scale-125.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-256.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-unplated_contrast-black_devicefamily-colorfulunplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSplashScreen.contrast-black_scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-125_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-400_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square310x310Logo.contrast-white_scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Light_Scale-300.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.Shell\Images\Icon_MMXresume.contrast-black_scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\ImmersiveControlPanel\images\Apps.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\DomMutations\images\domSelectAllBreakpoints.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square150x150Logo.contrast-black_scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Exchange.Theme-Dark_Scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\SIMLockToast.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\ImmersiveControlPanel\images\logo.contrast-white_scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\debuggerNextTab.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\BadgeLogo.contrast-white_scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerToast.scale-200_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\Tracking_Schema.sql eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-20_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\26.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square44x44Logo.contrast-black_scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\it\SqlPersistenceService_Logic.sql eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\i_delete.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\MediumTile.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile310x150.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\previewTabIcon.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-125_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-200_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Wide310x150Logo.contrast-white_scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\media\CortanaAnimation.gif eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile150x150.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-16_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\cookies.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-200_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallPersistSqlState.sql eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\wide310x150logo.scale-200_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_altform-unplated.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\cacheIcon.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\WideLogo310x150.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerToast.scale-125_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.Shell\Images\TabletMode.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\ImmersiveControlPanel\images\DefaultPinTile.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSplashScreen.scale-150.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.scale-150_contrast-black.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsLargeCloudIcon.scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\Web\Wallpaper\Theme1\img4.jpg eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Watches\images\addWatch.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Desktop\19.txt eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\SquareLogo150x150.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClipping\Assets\Wide310x150Logo.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Splashscreen.scale-125_contrast-white.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\AddNewRuleIcon.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\SmallTile.scale-200.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.contrast-white_scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\Web\Wallpaper\Theme1\img1.jpg eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\feedback.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Exchange.Theme-Dark_Scale-400.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe File created C:\Windows\ImmersiveControlPanel\images\logo.contrast-black_scale-100.png eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: 35 1884 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1944 wrote to memory of 1884 1944 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 60 PID 1944 wrote to memory of 1884 1944 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 60 PID 1944 wrote to memory of 1884 1944 eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe"C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe"C:\Users\Admin\AppData\Local\Temp\eb5d1a7f5c72d558d6ed414c8ed82f478e130003c7a11402129a741223262936.exe"2⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884
-