resource	yara_rule
behavioral5/memory/3080-0-0x0000000000400000-0x000000000060B000-memory.dmp	upx
behavioral5/memory/3080-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-6-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-10-0x0000000000400000-0x000000000060B000-memory.dmp	upx
behavioral5/memory/3080-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-14-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-35-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-36-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-40-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-42-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-45-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-47-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-52-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-50-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-54-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-57-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-58-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-59-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-61-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-60-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-65-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-66-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-70-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-71-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-75-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-80-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-81-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-76-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-85-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-86-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-90-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-91-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-95-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-96-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-101-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-102-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-103-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-104-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-105-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-107-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-108-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-110-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-111-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-113-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-115-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-116-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-118-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-121-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-123-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-126-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-128-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-129-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-127-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-125-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-124-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-122-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-120-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-119-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-117-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-114-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral5/memory/3080-112-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-8492748-3358837828-1435473090-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-black\GetHelpAppList.targetsize-30_altform-unplated_contrast-black.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Logo.scale-125.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\SplashScreen.scale-400.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.scale-100.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-80_altform-unplated.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_altform-unplated_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-400.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_contrast-black.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-80.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-40.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-80.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-30_altform-unplated.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-64_altform-unplated.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\version.js	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\SmallLogo.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-80_altform-unplated_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-30_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-96.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\customizations\useCustomizationSettings.js	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-16_altform-lightunplated_contrast-black.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-32.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\LargeTile.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\ComboBox\index.js	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherSmallTile.scale-100_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DetailsList\DetailsColumn.styles.js	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-150.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSplashScreen.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.altform-lightunplated_targetsize-16.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.scale-200_contrast-black.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-125.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-200_contrast-black.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-16_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-100.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-36.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-lightunplated_contrast-white.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-300.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\fonts\FluentFonts.js	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Positioning.js	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.scale-125.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-125.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\profilePic.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-100.png	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

pid	Process
3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe
3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe

description	pid	Process
Token: SeBackupPrivilege	3456	vssvc.exe
Token: SeRestorePrivilege	3456	vssvc.exe
Token: SeAuditPrivilege	3456	vssvc.exe
Token: SeShutdownPrivilege	3136	explorer.exe
Token: SeCreatePagefilePrivilege	3136	explorer.exe
Token: SeShutdownPrivilege	3136	explorer.exe
Token: SeCreatePagefilePrivilege	3136	explorer.exe
Token: SeShutdownPrivilege	3136	explorer.exe
Token: SeCreatePagefilePrivilege	3136	explorer.exe
Token: SeShutdownPrivilege	3136	explorer.exe
Token: SeCreatePagefilePrivilege	3136	explorer.exe
Token: SeShutdownPrivilege	3136	explorer.exe
Token: SeCreatePagefilePrivilege	3136	explorer.exe
Token: SeShutdownPrivilege	3136	explorer.exe
Token: SeCreatePagefilePrivilege	3136	explorer.exe

description	pid	Process	procid_target
PID 3080 wrote to memory of 3344	3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe	82
PID 3080 wrote to memory of 3344	3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe	82
PID 3080 wrote to memory of 1052	3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe	86
PID 3080 wrote to memory of 1052	3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe	86
PID 3080 wrote to memory of 340	3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe	88
PID 3080 wrote to memory of 340	3080	c4a48fbe5df0c9b765899f3edf6e1003fd3a2a6bcc39d1b3a0343bb246b78856.exe	88

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads