Windows Analysis Report
kDRn5EwG6a.exe

Overview

General Information

Sample name: kDRn5EwG6a.exe
renamed because original name is a hash value
Original sample name: 9a2e880c5c4fcbecf71014de4bbeb2db.exe
Analysis ID: 1417364
MD5: 9a2e880c5c4fcbecf71014de4bbeb2db
SHA1: 173089f18ef521b89516319117bf545d33f2e657
SHA256: d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418
Tags: 32BlackMatterexe
Infos:

Detection

LockBit ransomware, TrojanRansom
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected TrojanRansom
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Deletes itself after installation
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Enables security privileges
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: kDRn5EwG6a.exe Avira: detected
Antivirus detection for URL or domain
Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Avira URL Cloud: Label: malware
Source: http://lockbitapt.uz Avira URL Cloud: Label: malware
Source: http://lockbitsupp.uz Avira URL Cloud: Label: malware
Source: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion Avira URL Cloud: Label: malware
Source: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://lockbitapt.uz Virustotal: Detection: 11% Perma Link
Source: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion Virustotal: Detection: 8% Perma Link
Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Virustotal: Detection: 12% Perma Link
Source: http://lockbitsupp.uz Virustotal: Detection: 10% Perma Link
Source: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: kDRn5EwG6a.exe Virustotal: Detection: 84% Perma Link
Machine Learning detection for sample
Source: kDRn5EwG6a.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: kDRn5EwG6a.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Videos\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Searches\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Saved Games\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Recent\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Pictures\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Pictures\Saved Pictures\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Pictures\Camera Roll\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\OneDrive\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Music\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Links\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Favorites\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Favorites\Links\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Downloads\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\ZTGJILHXQB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\YPSIACHYXW\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\XZXHAVGRAG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\UMMBDNEQBN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\NHPKIZUUSG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\MXPXCVPDVN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\LSBIHQFDVT\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\KATAXZVCPS\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\JSDNGYCOWY\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\FENIVHOIKN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\DTBZGIOOSO\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\AIXACVYBSB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\ZTGJILHXQB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\YPSIACHYXW\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\XZXHAVGRAG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\UMMBDNEQBN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\NHPKIZUUSG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\MXPXCVPDVN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\KATAXZVCPS\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\JSDNGYCOWY\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\FENIVHOIKN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\DTBZGIOOSO\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\AIXACVYBSB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Contacts\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Skype\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Skype\RootTools\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\d1702bdf-c0c8-42c3-b6d9-e52fd0a57b16\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\VirtualStore\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Low\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrocef_low\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\SolidDocuments\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\PeerDistRepub\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1bd7b6da-f477-41fa-aea6-ebf2b36dfb2f}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: kDRn5EwG6a.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ownload.errort source: kDRn5EwG6a.exe, 00000000.00000003.1656776187.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657703326.00000000015E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.ETx6kDWq1.txt source: kDRn5EwG6a.exe, 00000000.00000003.1656776187.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657703326.00000000015E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Tx6kDWq1.README.txt} source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1660350238.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ETx6kDWq1 source: kDRn5EwG6a.exe, 00000000.00000003.1668927228.0000000001571000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mi_exe_stub.pdb source: kDRn5EwG6a.exe, 00000000.00000003.1654077880.0000000001602000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorM source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb| source: kDRn5EwG6a.exe, 00000000.00000003.1677099903.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1701502675.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1673997074.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1690606751.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1696860366.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1692032818.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1687355185.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1678073114.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1680009642.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697707942.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1693401163.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1698359299.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686213979.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1696684951.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1679017705.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1698875053.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1675141611.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1668927228.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1695143301.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686058312.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1700992629.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1680104442.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1682330746.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1685377843.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1682206348.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1674534425.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697535105.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1680871278.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe,
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ETx6kDWq1 source: kDRn5EwG6a.exe, 00000000.00000003.1690606751.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1677099903.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1673997074.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1674534425.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1685517441.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1685377843.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1668927228.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1687355185.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686058312.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1675141611.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686213979.0000000001571000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorQ source: kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF74BC FindFirstFileExW,FindNextFileW,FindClose, 0_2_00AF74BC
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFA094 FindFirstFileExW,FindClose, 0_2_00AFA094
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF5C24 FindFirstFileW,FindClose,FindNextFileW,FindClose, 0_2_00AF5C24
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7590 FindFirstFileExW, 0_2_00AF7590
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF766C FindFirstFileExW,GetFileAttributesW,FindNextFileW, 0_2_00AF766C
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFF308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose, 0_2_00AFF308
Source: C:\ProgramData\8234.tmp Code function: 9_2_0040227C FindFirstFileExW, 9_2_0040227C
Source: C:\ProgramData\8234.tmp Code function: 9_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose, 9_2_0040152C
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7468 GetLogicalDriveStringsW,GetDriveTypeW, 0_2_00AF7468
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\ Jump to behavior

Networking
barindex
Found Tor onion address
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011874212.00000000015F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011874212.00000000015F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011874212.00000000015F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion]
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion|q,k
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionalQq
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFq
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion;q
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion(q
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onioned
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionHCjr&j
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionin_r
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionicLr
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion!r
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionic
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
Source: kDRn5EwG6a.exe, 00000000.00000002.2021707327.00000000015F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021707327.00000000015F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion]
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion|q,k
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionalQq
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFq
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion;q
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion(q
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onioned
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionHCjr&j
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionin_r
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionicLr
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion!r
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionic
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion]
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion|q,k
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionalQq
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFq
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion;q
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion(q
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onioned
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionur;j
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionHCjr&j
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionin_r
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionicLr
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion!r
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionic
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000002.2021868208.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.1651038080.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1651566912.0000000001602000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt.uz
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion;q
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionFq
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionHCjr&j
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onional
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionc
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionin_r
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionur;j
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion(q
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionalQq
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onioned
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionic
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.0000000001632000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionicLr
Source: kDRn5EwG6a.exe, 00000000.00000003.2019059760.000000000166C000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011874212.00000000015F6000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021707327.00000000015F3000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000002.2021868208.000000000166C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupp.uz
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: kDRn5EwG6a.exe, 00000000.00000003.1630185084.00000000015F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefox
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: kDRn5EwG6a.exe, 00000000.00000003.1701502675.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1696860366.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1713614607.0000000001547000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697707942.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1698359299.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1696684951.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1698875053.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1708764395.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1700992629.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697535105.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1709891657.0000000001549000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tox.c
Source: kDRn5EwG6a.exe, 00000000.00000003.1674534425.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1691446286.0000000001572000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697535105.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1637401629.0000000001537000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1691501277.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1687355185.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1692634014.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686058312.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1634408658.0000000001537000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1675141611.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1709891657.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686213979.0000000001571000.00000004.00000020.00020000.00000000.sdmp, ETx6kDWq1.README.txt520.0.dr, ETx6kDWq1.README.txt376.0.dr, ETx6kDWq1.README.txt351.0.dr, ETx6kDWq1.README.txt446.0.dr, ETx6kDWq1.README.txt485.0.dr, ETx6kDWq1.README.txt300.0.dr, ETx6kDWq1.README.txt56.0.dr, ETx6kDWq1.README.txt509.0.dr, ETx6kDWq1.README.txt387.0.dr String found in binary or memory: https://tox.chat/
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.00000000015C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: kDRn5EwG6a.exe, 00000000.00000003.1630539577.0000000001662000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: kDRn5EwG6a.exe, 00000000.00000003.1630185084.00000000015F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: kDRn5EwG6a.exe, 00000000.00000003.1630185084.00000000015F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: kDRn5EwG6a.exe, 00000000.00000003.1630185084.00000000015F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: kDRn5EwG6a.exe, 00000000.00000003.1794957291.0000000001674000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/css/privacy_protocol.04de168de977.css
Source: kDRn5EwG6a.exe, 00000000.00000003.1630867120.0000000001672000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.0_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Dropped file: !! ALL YOUR FILES HAS BEEN ENCRYPTED !!!You can't restore them without our encryptor.Don't try to use any public tools, you could damage the encrypted files and lose them forever.To make sure our encryptor works, contact us and encrypt one file for free.Download TOX messenger: https://tox.chat/Add friend in TOX, ID: BA7B15B33163FAA2C87040438AF6D232FC6EA3740033F2AE3EB2181C1454BD4AAE983BAF03FE Jump to dropped file
Yara detected LockBit ransomware
Source: Yara match File source: kDRn5EwG6a.exe, type: SAMPLE
Source: Yara match File source: 0.2.kDRn5EwG6a.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.kDRn5EwG6a.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2020403247.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1610316669.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kDRn5EwG6a.exe PID: 7780, type: MEMORYSTR
Yara detected TrojanRansom
Source: Yara match File source: Process Memory Space: kDRn5EwG6a.exe PID: 7780, type: MEMORYSTR
Changes the wallpaper picture
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\ETx6kDWq1.bmp Jump to behavior
Found potential ransomware demand text
Source: kDRn5EwG6a.exe, 00000000.00000003.2011874212.00000000015F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.0000000001578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : All your important files are stolen and encrypted!
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptede}ok
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptede_o
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted3o
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted9o
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted-o
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted=
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedQ
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000150E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedr
Source: kDRn5EwG6a.exe, 00000000.00000002.2021222636.000000000154F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : All your important files are stolen and encrypted!
Source: kDRn5EwG6a.exe, 00000000.00000003.2011394794.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File moved: C:\Users\user\Desktop\ONBQCLYSPU.png Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File moved: C:\Users\user\Desktop\NWTVCDUMOB.mp3 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File moved: C:\Users\user\Desktop\KATAXZVCPS.jpg Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File moved: C:\Users\user\Desktop\NHPKIZUUSG\VLZDGUKUTZ.mp3 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File moved: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx Jump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_agimnkijcamfeangaknmldooml.ETx6kDWq1 entropy: 7.99433195836 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}.ETx6kDWq1 entropy: 7.99547257901 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}.ETx6kDWq1 entropy: 7.9955994272 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{16988324-21C9-05B2-CA60-9B4EC72739D8}.ETx6kDWq1 entropy: 7.99504626347 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_mpnpojknpmnjdcgaaiekajbnjb.ETx6kDWq1 entropy: 7.99581832895 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help.ETx6kDWq1 entropy: 7.99515770737 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_.ETx6kDWq1 entropy: 7.99494434991 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_kefjledonknomlcbpllchaibag.ETx6kDWq1 entropy: 7.9945276238 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_fmgjjmmmlfcabfkddbjimcfncm.ETx6kDWq1 entropy: 7.99541782157 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_fhihpiojkboajapmgkhlnakfjf.ETx6kDWq1 entropy: 7.99390989032 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{116229A7-9A3B-2078-DB5F-B5A20811242C}.ETx6kDWq1 entropy: 7.99528257229 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{F1118828-A0CC-5FEB-85C9-DBFFDF98434A}.ETx6kDWq1 entropy: 7.99544449004 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E8B84CFB-B069-BC13-F88F-170904F645E5}.ETx6kDWq1 entropy: 7.9945533896 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E7A33582-E908-3379-5368-5999454DCD83}.ETx6kDWq1 entropy: 7.99436852546 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}.ETx6kDWq1 entropy: 7.99539838157 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}.ETx6kDWq1 entropy: 7.99503243743 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}.ETx6kDWq1 entropy: 7.99531985047 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}.ETx6kDWq1 entropy: 7.99542312765 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}.ETx6kDWq1 entropy: 7.99445452942 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}.ETx6kDWq1 entropy: 7.99521842592 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_lync_exe_15.ETx6kDWq1 entropy: 7.99454960201 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_EXCEL_EXE_15.ETx6kDWq1 entropy: 7.99389009425 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15.ETx6kDWq1 entropy: 7.9947332512 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default.ETx6kDWq1 entropy: 7.99474270925 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.ETx6kDWq1 entropy: 7.99909908413 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.ETx6kDWq1 entropy: 7.99255457597 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SPREADSHEETCOMPARE_EXE_15.ETx6kDWq1 entropy: 7.99459764802 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.ETx6kDWq1 entropy: 7.9940065214 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_POWERPNT_EXE_15.ETx6kDWq1 entropy: 7.99491274111 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OUTLOOK_EXE_15.ETx6kDWq1 entropy: 7.99411799582 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_ONENOTE_EXE_15.ETx6kDWq1 entropy: 7.99545717695 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OcPubMgr_exe_15.ETx6kDWq1 entropy: 7.99517730505 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSPUB_EXE_15.ETx6kDWq1 entropy: 7.99438757247 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSOUC_EXE_15.ETx6kDWq1 entropy: 7.99528131178 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msoev_exe_15.ETx6kDWq1 entropy: 7.99460782483 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSACCESS_EXE_15.ETx6kDWq1 entropy: 7.99485108434 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App.ETx6kDWq1 entropy: 7.9946679888 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App.ETx6kDWq1 entropy: 7.99450774282 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop.ETx6kDWq1 entropy: 7.99499798496 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15.ETx6kDWq1 entropy: 7.99458726179 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel.ETx6kDWq1 entropy: 7.99534249485 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App.ETx6kDWq1 entropy: 7.99265582431 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop.ETx6kDWq1 entropy: 7.99451462703 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32.ETx6kDWq1 entropy: 7.99586172585 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer.ETx6kDWq1 entropy: 7.9952394336 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer.ETx6kDWq1 entropy: 7.99546179395 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools.ETx6kDWq1 entropy: 7.99502595196 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsStore_8wekyb3d8bbwe!App.ETx6kDWq1 entropy: 7.9939769889 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App.ETx6kDWq1 entropy: 7.99599410862 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe.ETx6kDWq1 entropy: 7.99560681137 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe.ETx6kDWq1 entropy: 7.99590314508 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe.ETx6kDWq1 entropy: 7.99513359426 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MSEdge.ETx6kDWq1 entropy: 7.99462856156 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog.ETx6kDWq1 entropy: 7.99420291215 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe.ETx6kDWq1 entropy: 7.99481198247 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe.ETx6kDWq1 entropy: 7.99495879619 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe.ETx6kDWq1 entropy: 7.99573375596 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe.ETx6kDWq1 entropy: 7.99565598858 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe.ETx6kDWq1 entropy: 7.99514450337 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.ETx6kDWq1 entropy: 7.99544036274 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe.ETx6kDWq1 entropy: 7.99503611796 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe.ETx6kDWq1 entropy: 7.99434429584 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe.ETx6kDWq1 entropy: 7.99566100982 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe.ETx6kDWq1 entropy: 7.99492320798 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.ETx6kDWq1 entropy: 7.99492555869 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe.ETx6kDWq1 entropy: 7.99533792787 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc.ETx6kDWq1 entropy: 7.99480232173 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.ETx6kDWq1 entropy: 7.99529949441 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.ETx6kDWq1 entropy: 7.99485186337 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc.ETx6kDWq1 entropy: 7.99537525483 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe.ETx6kDWq1 entropy: 7.99528958603 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe.ETx6kDWq1 entropy: 7.99508316685 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.ETx6kDWq1 entropy: 7.99461365404 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe.ETx6kDWq1 entropy: 7.99562899846 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe.ETx6kDWq1 entropy: 7.99551586253 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe.ETx6kDWq1 entropy: 7.99500586869 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db.ETx6kDWq1 entropy: 7.99904955487 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite.ETx6kDWq1 entropy: 7.99853832023 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm.ETx6kDWq1 entropy: 7.99445565576 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite.ETx6kDWq1 entropy: 7.99927477818 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.ETx6kDWq1 entropy: 7.99552420845 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm.ETx6kDWq1 entropy: 7.9950989233 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite.ETx6kDWq1 entropy: 7.99810210881 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm.ETx6kDWq1 entropy: 7.99502341512 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db.ETx6kDWq1 entropy: 7.99934610708 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite.ETx6kDWq1 entropy: 7.99722086407 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm.ETx6kDWq1 entropy: 7.99513471864 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite.ETx6kDWq1 entropy: 7.99822371988 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite.ETx6kDWq1 entropy: 7.99872118169 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.ETx6kDWq1 entropy: 7.99638843676 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.ETx6kDWq1 entropy: 7.99543124942 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\BDE5E55BCB4604200C70FB908FA76903C94590D3.ETx6kDWq1 entropy: 7.99820510993 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.ETx6kDWq1 entropy: 7.99612130715 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.ETx6kDWq1 entropy: 7.99422044013 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.ETx6kDWq1 entropy: 7.99596250306 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.ETx6kDWq1 entropy: 7.99431187939 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.ETx6kDWq1 entropy: 7.99601360164 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.ETx6kDWq1 entropy: 7.99471715555 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.ETx6kDWq1 entropy: 7.99656773624 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.ETx6kDWq1 entropy: 7.99461900371 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.ETx6kDWq1 entropy: 7.99504646141 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F.ETx6kDWq1 entropy: 7.99530916629 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.ETx6kDWq1 entropy: 7.99045220784 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\E707EC8A256322E87908664A49F800B7B48E0961.ETx6kDWq1 entropy: 7.99068212977 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084.ETx6kDWq1 entropy: 7.99743173337 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\11719.ETx6kDWq1 entropy: 7.99531792047 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.ETx6kDWq1 entropy: 7.99691544194 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.ETx6kDWq1 entropy: 7.99593254335 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4.ETx6kDWq1 entropy: 7.99010102893 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1.ETx6kDWq1 entropy: 7.99932268391 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\index.ETx6kDWq1 entropy: 7.99940177449 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.ETx6kDWq1 entropy: 7.99933544344 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.ETx6kDWq1 entropy: 7.99932700853 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\index.ETx6kDWq1 entropy: 7.99923666638 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index.ETx6kDWq1 entropy: 7.99927047978 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.ETx6kDWq1 entropy: 7.99837119529 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe.ETx6kDWq1 entropy: 7.99508312256 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe.ETx6kDWq1 entropy: 7.99477454426 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe.ETx6kDWq1 entropy: 7.99469777766 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe.ETx6kDWq1 entropy: 7.99520572245 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe.ETx6kDWq1 entropy: 7.99465378911 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe.ETx6kDWq1 entropy: 7.99545782006 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Adobe_Acrobat DC_Acrobat_Acrobat_exe.ETx6kDWq1 entropy: 7.99545793262 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe.ETx6kDWq1 entropy: 7.99559416691 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm.ETx6kDWq1 entropy: 7.99478513562 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt v3 Website_url.ETx6kDWq1 entropy: 7.99480999863 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe.ETx6kDWq1 entropy: 7.99506878433 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe.ETx6kDWq1 entropy: 7.99505104218 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.ETx6kDWq1 entropy: 7.99553320968 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe.ETx6kDWq1 entropy: 7.9951152706 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre-1_8_bin_javacpl_exe.ETx6kDWq1 entropy: 7.99557487278 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe.ETx6kDWq1 entropy: 7.99481179974 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples.ETx6kDWq1 entropy: 7.99480637174 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras.ETx6kDWq1 entropy: 7.99489111633 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm.ETx6kDWq1 entropy: 7.99527065274 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm.ETx6kDWq1 entropy: 7.99516467403 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe.ETx6kDWq1 entropy: 7.99471197719 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe.ETx6kDWq1 entropy: 7.99514410189 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm.ETx6kDWq1 entropy: 7.99054000846 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb00001.log.ETx6kDWq1 entropy: 7.99966603719 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs.ETx6kDWq1 entropy: 7.99961285304 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log.ETx6kDWq1 entropy: 7.99965096972 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs.ETx6kDWq1 entropy: 7.99969347706 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log.ETx6kDWq1 entropy: 7.99968907385 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.ETx6kDWq1 entropy: 7.99696086875 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Comms\UnistoreDB\store.jfm.ETx6kDWq1 entropy: 7.99034229996 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.ETx6kDWq1 entropy: 7.99449830602 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm.ETx6kDWq1 entropy: 7.99419969218 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.ETx6kDWq1 entropy: 7.99217894663 Jump to dropped file
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl.ETx6kDWq1 entropy: 7.99715912567 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\kDRn5EwG6a.exe entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\AAAAAAAAAAAAAA (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\BBBBBBBBBBBBBB (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\CCCCCCCCCCCCCC (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\DDDDDDDDDDDDDD (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\EEEEEEEEEEEEEE (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\FFFFFFFFFFFFFF (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\GGGGGGGGGGGGGG (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\HHHHHHHHHHHHHH (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\IIIIIIIIIIIIII (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\JJJJJJJJJJJJJJ (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\KKKKKKKKKKKKKK (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\LLLLLLLLLLLLLL (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\MMMMMMMMMMMMMM (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\NNNNNNNNNNNNNN (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\OOOOOOOOOOOOOO (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\PPPPPPPPPPPPPP (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\QQQQQQQQQQQQQQ (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\RRRRRRRRRRRRRR (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\SSSSSSSSSSSSSS (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\TTTTTTTTTTTTTT (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\UUUUUUUUUUUUUU (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\VVVVVVVVVVVVVV (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\WWWWWWWWWWWWWW (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\XXXXXXXXXXXXXX (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy) entropy: 7.9966548855 Jump to dropped file
Source: C:\ProgramData\8234.tmp File created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy) entropy: 7.9966548855 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: kDRn5EwG6a.exe, type: SAMPLE Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.2.kDRn5EwG6a.exe.af0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.0.kDRn5EwG6a.exe.af0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000002.2020403247.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000000.1610316669.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00B004B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe, 0_2_00B004B4
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF9880 NtClose, 0_2_00AF9880
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF6C98 NtQueryInformationToken, 0_2_00AF6C98
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00B07034 CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,CreateThread, 0_2_00B07034
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFDC60 NtTerminateProcess, 0_2_00AFDC60
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFB470 NtProtectVirtualMemory, 0_2_00AFB470
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFB444 NtSetInformationThread, 0_2_00AFB444
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFE1E8 CreateThread,NtClose, 0_2_00AFE1E8
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF6668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,DeleteFileW, 0_2_00AF6668
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFDE78 SetThreadPriority,ReadFile,WriteFile,WriteFile,NtClose, 0_2_00AFDE78
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFB674 NtQueryInformationToken, 0_2_00AFB674
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7E58 NtQuerySystemInformation,Sleep, 0_2_00AF7E58
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFC3F8 CreateFileW,WriteFile,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,SHChangeNotify,NtClose, 0_2_00AFC3F8
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFB3C0 NtSetInformationThread,NtClose, 0_2_00AFB3C0
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF97D8 NtQuerySystemInformation, 0_2_00AF97D8
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFB734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 0_2_00AFB734
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF8F68 RtlAdjustPrivilege,NtSetInformationThread, 0_2_00AF8F68
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF982A NtQuerySystemInformation, 0_2_00AF982A
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF9811 NtQuerySystemInformation, 0_2_00AF9811
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7EA3 NtQuerySystemInformation,Sleep, 0_2_00AF7EA3
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7E8A NtQuerySystemInformation,Sleep, 0_2_00AF7E8A
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF8F66 RtlAdjustPrivilege,NtSetInformationThread, 0_2_00AF8F66
Source: C:\ProgramData\8234.tmp Code function: 9_2_00402760 CreateFileW,ReadFile,NtClose, 9_2_00402760
Source: C:\ProgramData\8234.tmp Code function: 9_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 9_2_0040286C
Source: C:\ProgramData\8234.tmp Code function: 9_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW, 9_2_00402F18
Source: C:\ProgramData\8234.tmp Code function: 9_2_00401DC2 NtProtectVirtualMemory, 9_2_00401DC2
Source: C:\ProgramData\8234.tmp Code function: 9_2_00401D94 NtSetInformationThread, 9_2_00401D94
Source: C:\ProgramData\8234.tmp Code function: 9_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 9_2_004016B4
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFA68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl, 0_2_00AFA68C
Creates files inside the system directory
Source: C:\Windows\splwow64.exe File created: C:\Windows\system32\spool\PRINTERS\00002.SPL
Detected potential crypto function
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF20AC 0_2_00AF20AC
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF80B8 0_2_00AF80B8
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF4D08 0_2_00AF4D08
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF4D03 0_2_00AF4D03
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF5218 0_2_00AF5218
Enables security privileges
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process token adjusted: Security
Tries to load missing DLLs
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: adsldp.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\8234.tmp Section loaded: apphelp.dll
Source: C:\ProgramData\8234.tmp Section loaded: rstrtmgr.dll
Source: C:\ProgramData\8234.tmp Section loaded: ncrypt.dll
Source: C:\ProgramData\8234.tmp Section loaded: ntasn1.dll
Source: C:\ProgramData\8234.tmp Section loaded: windows.storage.dll
Source: C:\ProgramData\8234.tmp Section loaded: wldp.dll
Source: C:\ProgramData\8234.tmp Section loaded: kernel.appcore.dll
Source: C:\ProgramData\8234.tmp Section loaded: uxtheme.dll
Source: C:\ProgramData\8234.tmp Section loaded: propsys.dll
Source: C:\ProgramData\8234.tmp Section loaded: profapi.dll
Source: C:\ProgramData\8234.tmp Section loaded: edputil.dll
Source: C:\ProgramData\8234.tmp Section loaded: urlmon.dll
Source: C:\ProgramData\8234.tmp Section loaded: iertutil.dll
Source: C:\ProgramData\8234.tmp Section loaded: srvcli.dll
Source: C:\ProgramData\8234.tmp Section loaded: netutils.dll
Source: C:\ProgramData\8234.tmp Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\8234.tmp Section loaded: sspicli.dll
Source: C:\ProgramData\8234.tmp Section loaded: wintypes.dll
Source: C:\ProgramData\8234.tmp Section loaded: appresolver.dll
Source: C:\ProgramData\8234.tmp Section loaded: bcp47langs.dll
Source: C:\ProgramData\8234.tmp Section loaded: slc.dll
Source: C:\ProgramData\8234.tmp Section loaded: userenv.dll
Source: C:\ProgramData\8234.tmp Section loaded: sppc.dll
Source: C:\ProgramData\8234.tmp Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\8234.tmp Section loaded: onecoreuapcommonproxystub.dll
Uses 32bit PE files
Source: kDRn5EwG6a.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: kDRn5EwG6a.exe, type: SAMPLE Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.2.kDRn5EwG6a.exe.af0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.0.kDRn5EwG6a.exe.af0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000002.2020403247.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000000.1610316669.0000000000AF1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: classification engine Classification label: mal100.rans.phis.spyw.evad.winEXE@9/1664@0/0
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\0725e43da15431db6320c02378cb15ad
Source: C:\ProgramData\8234.tmp Mutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: kDRn5EwG6a.exe Virustotal: Detection: 84%
Source: unknown Process created: C:\Users\user\Desktop\kDRn5EwG6a.exe "C:\Users\user\Desktop\kDRn5EwG6a.exe"
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{8E059DBB-EA78-4B74-B8B9-67A43F643691}.xps" 133561592001010000
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process created: C:\ProgramData\8234.tmp "C:\ProgramData\8234.tmp"
Source: C:\ProgramData\8234.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8234.tmp >> NUL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process created: C:\ProgramData\8234.tmp "C:\ProgramData\8234.tmp" Jump to behavior
Source: C:\ProgramData\8234.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8234.tmp >> NUL
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: kDRn5EwG6a.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: kDRn5EwG6a.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ownload.errort source: kDRn5EwG6a.exe, 00000000.00000003.1656776187.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657703326.00000000015E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.ETx6kDWq1.txt source: kDRn5EwG6a.exe, 00000000.00000003.1656776187.00000000015E7000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657703326.00000000015E7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Tx6kDWq1.README.txt} source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1660350238.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ETx6kDWq1 source: kDRn5EwG6a.exe, 00000000.00000003.1668927228.0000000001571000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mi_exe_stub.pdb source: kDRn5EwG6a.exe, 00000000.00000003.1654077880.0000000001602000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorM source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: kDRn5EwG6a.exe, 00000000.00000003.1659426052.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1658365920.0000000001583000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb| source: kDRn5EwG6a.exe, 00000000.00000003.1677099903.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1701502675.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1673997074.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1690606751.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1696860366.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1692032818.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1687355185.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1678073114.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1680009642.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697707942.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1693401163.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1698359299.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686213979.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1696684951.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1679017705.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1698875053.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1675141611.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1668927228.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1695143301.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686058312.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1700992629.0000000001546000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1680104442.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1682330746.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1685377843.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1682206348.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1674534425.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1697535105.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1680871278.0000000001549000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe,
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.ETx6kDWq1 source: kDRn5EwG6a.exe, 00000000.00000003.1690606751.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1677099903.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1673997074.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1674534425.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1685517441.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1685377843.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1668927228.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1687355185.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686058312.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1675141611.0000000001571000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1686213979.0000000001571000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorQ source: kDRn5EwG6a.exe, 00000000.00000003.1657765181.0000000001583000.00000004.00000020.00020000.00000000.sdmp, kDRn5EwG6a.exe, 00000000.00000003.1656968028.0000000001583000.00000004.00000020.00020000.00000000.sdmp
PE file contains an invalid checksum
Source: kDRn5EwG6a.exe Static PE information: real checksum: 0x2486a should be: 0x32b4f
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF61ED push esp; retf 0_2_00AF61F6
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF35D5 push 0000006Ah; retf 0_2_00AF3644
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF35D3 push 0000006Ah; retf 0_2_00AF3644
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF356B push 0000006Ah; retf 0_2_00AF3644
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Videos\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Searches\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Saved Games\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Recent\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Pictures\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Pictures\Saved Pictures\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Pictures\Camera Roll\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\OneDrive\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Music\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Links\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Favorites\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Favorites\Links\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Downloads\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\ZTGJILHXQB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\YPSIACHYXW\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\XZXHAVGRAG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\UMMBDNEQBN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\NHPKIZUUSG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\MXPXCVPDVN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\LSBIHQFDVT\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\KATAXZVCPS\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\JSDNGYCOWY\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\FENIVHOIKN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\DTBZGIOOSO\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Documents\AIXACVYBSB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\ZTGJILHXQB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\YPSIACHYXW\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\XZXHAVGRAG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\UMMBDNEQBN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\NHPKIZUUSG\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\MXPXCVPDVN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\LSBIHQFDVT\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\KATAXZVCPS\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\JSDNGYCOWY\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\FENIVHOIKN\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\DTBZGIOOSO\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Desktop\AIXACVYBSB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\Contacts\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Skype\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Skype\RootTools\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\d1702bdf-c0c8-42c3-b6d9-e52fd0a57b16\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\VirtualStore\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Low\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrocef_low\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\SolidDocuments\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\PeerDistRepub\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1bd7b6da-f477-41fa-aea6-ebf2b36dfb2f}\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\Temp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\SystemAppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\RoamingState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalCache\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AppData\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\ETx6kDWq1.README.txt Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\ProgramData\8234.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8234.tmp >> NUL
Source: C:\ProgramData\8234.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8234.tmp >> NUL
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF91C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW, 0_2_00AF91C8
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\8234.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF10BC 0_2_00AF10BC
Source: C:\ProgramData\8234.tmp Code function: 9_2_00401E28 9_2_00401E28
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF10BC rdtsc 0_2_00AF10BC
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF74BC FindFirstFileExW,FindNextFileW,FindClose, 0_2_00AF74BC
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFA094 FindFirstFileExW,FindClose, 0_2_00AFA094
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF5C24 FindFirstFileW,FindClose,FindNextFileW,FindClose, 0_2_00AF5C24
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7590 FindFirstFileExW, 0_2_00AF7590
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF766C FindFirstFileExW,GetFileAttributesW,FindNextFileW, 0_2_00AF766C
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AFF308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose, 0_2_00AFF308
Source: C:\ProgramData\8234.tmp Code function: 9_2_0040227C FindFirstFileExW, 9_2_0040227C
Source: C:\ProgramData\8234.tmp Code function: 9_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose, 9_2_0040152C
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF7468 GetLogicalDriveStringsW,GetDriveTypeW, 0_2_00AF7468
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\ Jump to behavior
Source: BrowserMetrics-651D45F1-18C8.pma.ETx6kDWq1.0.dr Binary or memory string: h?VMCI\
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware workstation 15 player*|vmplayer6438
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vm ware8394
Source: kDRn5EwG6a.exe, 00000000.00000003.1702588339.0000000001698000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hyper-v:wux:hyper-v~
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware vsphere client*|vspe6388
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vdi3894
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|*|qemu10642
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|view5503
Source: 8234.tmp, 00000009.00000002.2026938069.00000000006C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d-
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware workstation 12 player*|vmpl5459
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|*|vmware6886
Source: kDRn5EwG6a.exe, 00000000.00000003.1854122405.0000000001665000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware vsphere client*|vcenter5038
Source: kDRn5EwG6a.exe, 00000000.00000003.1704343971.0000000001644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vmare7220
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process information queried: ProcessInformation

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\8234.tmp Thread information set: HideFromDebugger
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF10BC rdtsc 0_2_00AF10BC
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF5A20 LdrLoadDll, 0_2_00AF5A20
Enables debug privileges
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Memory written: C:\ProgramData\8234.tmp base: 401000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Process created: C:\ProgramData\8234.tmp "C:\ProgramData\8234.tmp" Jump to behavior
Source: C:\ProgramData\8234.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8234.tmp >> NUL
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00AF10BC cpuid 0_2_00AF10BC
Contains functionality to query locales information (e.g. system language)
Source: C:\ProgramData\8234.tmp Code function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW, 9_2_00403983
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe Code function: 0_2_00B004B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe, 0_2_00B004B4

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\ETx6kDWq1.README.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\ETx6kDWq1.README.txt Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4.ETx6kDWq1 Jump to behavior
Source: C:\Users\user\Desktop\kDRn5EwG6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417364 Sample: kDRn5EwG6a.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 6 other signatures 2->46 8 kDRn5EwG6a.exe 32 1002 2->8         started        12 ONENOTE.EXE 2->12         started        process3 file4 24 C:\Users\user\AppData\...\prefs.js.ETx6kDWq1, DOS 8->24 dropped 26 Microsoft_Windows_ControlPanel.ETx6kDWq1, DOS 8->26 dropped 28 Microsoft_Office_O...TE_EXE_15.ETx6kDWq1, DOS 8->28 dropped 30 230 other files (226 malicious) 8->30 dropped 48 Found potential ransomware demand text 8->48 50 Found Tor onion address 8->50 52 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->52 54 7 other signatures 8->54 14 8234.tmp 8->14         started        18 splwow64.exe 8->18         started        signatures5 process6 file7 32 C:\Users\user\Desktop\kDRn5EwG6a.exe, data 14->32 dropped 34 C:\Users\user\Desktop\ZZZZZZZZZZZZZZ (copy), data 14->34 dropped 36 C:\Users\user\Desktop\YYYYYYYYYYYYYY (copy), data 14->36 dropped 38 24 other malicious files 14->38 dropped 56 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->56 58 Writes many files with high entropy 14->58 60 Hides threads from debuggers 14->60 62 Deletes itself after installation 14->62 20 cmd.exe 14->20         started        signatures8 process9 process10 22 conhost.exe 20->22         started       
No contacted IP infos