B
BalajiRavichandran
Guest
Hi Alert,
I manage Antivirus for a company. We use Windows Defender AV. Our OS are Win 10 v1809.
I am getting alerts from machines, where I can see my user ID in the logs, but actually I didnt login those machine at the time of infection.
Alert:-
Detection time(UTC time): 4/26/2020 3:04:55 PM Malware file path: file:_C:\Users\mark.bowlin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\grammarly-keyboard-type-with-confidence_3014778243 (1).exe;webfile:_C:\Users\mark.bowlin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\grammarly-keyboard-type-with-confidence_3014778243 (1).exe|balaji.shanmugavel%40capitalone.com%7C9ba54c461d874e42dc8f08d7e9f39f67%7C9e66e0b4768c4506a1b67e44c80595f2%7C0%7C0%7C637235104869506941&sdata=hMf1zUXuhNOubK5FGzn9nPreOQwLh%2Fja645pp3sKxa0%3D&reserved=0
Remediation action: Remove
Action status: Succeeded
If I decode the URL part in the log message I can get something like this:-
[/URL]*** Email address is removed for privacy ***|9ba54c461d874e42dc8f08d7e9f39f67|9e66e0b4768c4506a1b67e44c80595f2|0|0|637235104869506941&sdata=hMf1zUXuhNOubK5FGzn9nPreOQwLh/ja645pp3sKxa0=&reserved=0
I can see similar alerts in multiple machines. Can you please explain what is going on?
More...
I manage Antivirus for a company. We use Windows Defender AV. Our OS are Win 10 v1809.
I am getting alerts from machines, where I can see my user ID in the logs, but actually I didnt login those machine at the time of infection.
Alert:-
Detection time(UTC time): 4/26/2020 3:04:55 PM Malware file path: file:_C:\Users\mark.bowlin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\grammarly-keyboard-type-with-confidence_3014778243 (1).exe;webfile:_C:\Users\mark.bowlin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\grammarly-keyboard-type-with-confidence_3014778243 (1).exe|balaji.shanmugavel%40capitalone.com%7C9ba54c461d874e42dc8f08d7e9f39f67%7C9e66e0b4768c4506a1b67e44c80595f2%7C0%7C0%7C637235104869506941&sdata=hMf1zUXuhNOubK5FGzn9nPreOQwLh%2Fja645pp3sKxa0%3D&reserved=0
Remediation action: Remove
Action status: Succeeded
If I decode the URL part in the log message I can get something like this:-
[/URL]*** Email address is removed for privacy ***|9ba54c461d874e42dc8f08d7e9f39f67|9e66e0b4768c4506a1b67e44c80595f2|0|0|637235104869506941&sdata=hMf1zUXuhNOubK5FGzn9nPreOQwLh/ja645pp3sKxa0=&reserved=0
I can see similar alerts in multiple machines. Can you please explain what is going on?
More...