Edit tour

Windows Analysis Report
Document.doc.scr

Overview

General Information

Sample name:	Document.doc.scr
Analysis ID:	1430701
MD5:	ae811bd6440b425e6777f0ca001a9743
SHA1:	70902540ead269971e149eaff568fb17d04156af
SHA256:	86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498
Infos:

Detection

LockBit ransomware, TrojanRansom

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected LockBit ransomware

Yara detected TrojanRansom

Changes the wallpaper picture

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Deletes itself after installation

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes many files with high entropy

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Enables debug privileges

Enables security privileges

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Document.doc.scr (PID: 6084 cmdline: "C:\Users\user\Desktop\Document.doc.scr" /S MD5: AE811BD6440B425E6777F0CA001A9743)

splwow64.exe (PID: 3652 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

D4EC.tmp (PID: 5616 cmdline: "C:\ProgramData\D4EC.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)

cmd.exe (PID: 4824 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ONENOTE.EXE (PID: 4852 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{082B68BB-AD41-4487-9321-7D0501AE003B}.xps" 133583950932070000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Document.doc.scr	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Document.doc.scr	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
Process Memory Space: Document.doc.scr PID: 6084	JoeSecurity_TrojanRansom	Yara detected TrojanRansom	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Document.doc.scr.d40000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.0.Document.doc.scr.d40000.0.unpack	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\kZd6jLIwz.bmp, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Document.doc.scr, ProcessId: 6084, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Document.doc.scr

Avira: detected

Multi AV Scanner detection for submitted file

Source: Document.doc.scr	ReversingLabs: Detection: 71%
Source: Document.doc.scr	Virustotal: Detection: 78%			Perma Link

Machine Learning detection for sample

Source: Document.doc.scr

Joe Sandbox ML: detected

Source: Document.doc.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Videos\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Searches\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Saved Games\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Recent\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Pictures\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Pictures\Saved Pictures\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Pictures\Camera Roll\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\OneDrive\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Music\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Links\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Favorites\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Favorites\Links\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Downloads\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\ZGGKNSUKOP\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\UNKRLCVOHV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\NYMMPCEIMA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\NVWZAPQSQL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\JDDHMPCDUJ\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\HMPPSXQPQV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\GRXZDKKVDB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\EOWRVPQCCS\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\EFOYFBOLXA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\ZGGKNSUKOP\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\UNKRLCVOHV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\NYMMPCEIMA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\NVWZAPQSQL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\JDDHMPCDUJ\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\HMPPSXQPQV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\GRXZDKKVDB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\EOWRVPQCCS\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\EFOYFBOLXA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Contacts\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\dd432c4a-ba38-4070-9985-ed1b3bea85dc\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\VirtualStore\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_761252224\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_1791500899\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_2640_817343797\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Low\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_995017740\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_778675694\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_736602331\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_649288342\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_339006160\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_27162369\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1988346647\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1959985254\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1807723660\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1693012001\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1635976352\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1619438387\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1485273224\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1421574262\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1318414972\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1289371347\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1234978473\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1191663050\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1090636871\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\SolidDocuments\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\PeerDistRepub\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{99fff775-938d-4e2c-9c06-5d56107a5383}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2737c7bb-35fb-4b44-baf9-033ca587595d}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91a05a-d98f-4429-81a9-272df0335447}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{de0f148a-c476-467a-b7a3-14b0bb463140}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{880da644-c864-4aed-9e06-5b089e06c09e}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior

Source: Document.doc.scr

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2n source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.kZd6jLIwz source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068373022.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067060328.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.kZd6jLIwz source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: Document.doc.scr, 00000000.00000003.2064531991.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059520677.000000000111C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ownload.errorIwz+ source: Document.doc.scr, 00000000.00000003.2074121235.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.kZd6jLIwzg source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068373022.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067060328.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*# source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\kZd6jLIwz.README.txt`/ source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Document.doc.scr, 00000000.00000003.2064531991.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068087626.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068615252.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059520677.000000000111C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\kZd6jLIwz.README.txtb source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2n source: Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831s source: Document.doc.scr, 00000000.00000003.2064531991.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068087626.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2071652569.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068615252.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2071891357.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059520677.000000000111C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\kZd6jLIwz.README.txt source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Zd6jLIwz.README.txtz source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorzg1 source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Zd6jLIwz.README.txtson source: Document.doc.scr, 00000000.00000003.2074121235.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2075417986.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2077533300.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076804926.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2074863636.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076053252.0000000001136000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.kZd6jLIwzxt source: Document.doc.scr, 00000000.00000003.2074121235.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2075417986.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076804926.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2074863636.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076053252.0000000001136000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Zd6jLIwz.README.txt@ source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Zd6jLIwz.README.txt5 source: Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\g source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\kZd6jLIwz.README.txt source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp

Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_0040227C FindFirstFileExW,		8_2_0040227C
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,		8_2_0040152C

Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior

Source: Document.doc.scr, 00000000.00000003.2058457962.0000000001154000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: Document.doc.scr, 00000000.00000003.2058198747.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/ui.win32.js.map/d6bb35bc608af2672a5b746ba
Source: Document.doc.scr, 00000000.00000003.2058198747.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/generate_204
Source: Document.doc.scr, 00000000.00000003.2058198747.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: App1713921509308663900_6D1069C2-A1FE-4969-8A18-9CD73AF4AF15.log.11.dr	String found in binary or memory: https://login.windows.net
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001230000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2032462071.0000000001228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Document.doc.scr, 00000000.00000003.2032462071.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2092684104.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2019781196.0000000001156000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2119320978.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2103612240.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2122420148.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2123563496.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2035440830.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2020875656.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2128470332.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2097170059.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2096070849.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2094172163.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2033390092.0000000001126000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2033154751.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2106278279.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2128740161.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2122743679.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2096396555.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2119133098.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2128345601.0000000001137000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tox.chat/
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001230000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2032462071.0000000001228000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Document.doc.scr, 00000000.00000003.2032462071.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Document.doc.scr, 00000000.00000003.2032462071.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Document.doc.scr, 00000000.00000003.2032462071.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.0_8wekyb3d8bbwe\kZd6jLIwz.README.txt

Dropped file: !! ALL YOUR FILES HAS BEEN ENCRYPTED !!!You can't restore them without our encryptor.Don't try to use any public tools, you could damage the encrypted files and lose them forever.To make sure our encryptor works, contact us and encrypt one file for free.Download TOX messenger: https://tox.chat/Add friend in TOX, ID: 36F186C6FDCAAC0CF122E234B5D15F3F42F73568745F251C1306D71EBCA96817770F9B9AC2E6

Jump to dropped file

Yara detected LockBit ransomware

Source: Yara match	File source: Document.doc.scr, type: SAMPLE
Source: Yara match	File source: 0.0.Document.doc.scr.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected TrojanRansom

Source: Yara match

File source: Process Memory Space: Document.doc.scr PID: 6084, type: MEMORYSTR

Changes the wallpaper picture

Source: C:\Users\user\Desktop\Document.doc.scr

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\kZd6jLIwz.bmp

Jump to behavior

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Document.doc.scr	File moved: C:\Users\user\Desktop\GRXZDKKVDB.pdf	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File moved: C:\Users\user\Desktop\NVWZAPQSQL\EFOYFBOLXA.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File moved: C:\Users\user\Desktop\KLIZUSIQEN.mp3	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File moved: C:\Users\user\Desktop\GRXZDKKVDB\QCOILOQIKC.png	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File moved: C:\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.jpg	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{880da644-c864-4aed-9e06-5b089e06c09e}\Apps.ft.kZd6jLIwz entropy: 7.99649721103	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{116229A7-9A3B-2078-DB5F-B5A20811242C}.kZd6jLIwz entropy: 7.99523188518	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_.kZd6jLIwz entropy: 7.99554410232	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome.kZd6jLIwz entropy: 7.99573369008	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB;PrivateBrowsingAUMID.kZd6jLIwz entropy: 7.99401658243	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB.kZd6jLIwz entropy: 7.99566924346	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\settingsconversions.txt.kZd6jLIwz entropy: 7.99742769817	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help.kZd6jLIwz entropy: 7.99509484272	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E8B84CFB-B069-BC13-F88F-170904F645E5}.kZd6jLIwz entropy: 7.99501574529	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E7A33582-E908-3379-5368-5999454DCD83}.kZd6jLIwz entropy: 7.9953360237	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}.kZd6jLIwz entropy: 7.99574508197	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}.kZd6jLIwz entropy: 7.99534531929	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}.kZd6jLIwz entropy: 7.99525185364	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}.kZd6jLIwz entropy: 7.99483351484	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}.kZd6jLIwz entropy: 7.99529652587	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}.kZd6jLIwz entropy: 7.99564666808	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}.kZd6jLIwz entropy: 7.99424644168	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}.kZd6jLIwz entropy: 7.99521020045	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{16988324-21C9-05B2-CA60-9B4EC72739D8}.kZd6jLIwz entropy: 7.99548201832	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default.kZd6jLIwz entropy: 7.99533203034	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{F1118828-A0CC-5FEB-85C9-DBFFDF98434A}.kZd6jLIwz entropy: 7.99499029175	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.kZd6jLIwz entropy: 7.99886958591	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.kZd6jLIwz entropy: 7.99263829327	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_POWERPNT_EXE_15.kZd6jLIwz entropy: 7.99540409773	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_ONENOTE_EXE_15.kZd6jLIwz entropy: 7.99577592479	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OUTLOOK_EXE_15.kZd6jLIwz entropy: 7.99453097905	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OcPubMgr_exe_15.kZd6jLIwz entropy: 7.99568419068	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSPUB_EXE_15.kZd6jLIwz entropy: 7.99464541574	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msoev_exe_15.kZd6jLIwz entropy: 7.99480104287	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSACCESS_EXE_15.kZd6jLIwz entropy: 7.99546256381	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_lync_exe_15.kZd6jLIwz entropy: 7.99582200782	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_EXCEL_EXE_15.kZd6jLIwz entropy: 7.99511059573	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15.kZd6jLIwz entropy: 7.99558329334	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App.kZd6jLIwz entropy: 7.99478919663	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App.kZd6jLIwz entropy: 7.99455623225	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop.kZd6jLIwz entropy: 7.99493855377	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15.kZd6jLIwz entropy: 7.99530224972	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SPREADSHEETCOMPARE_EXE_15.kZd6jLIwz entropy: 7.99487191119	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.kZd6jLIwz entropy: 7.99453166118	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop.kZd6jLIwz entropy: 7.9947726418	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32.kZd6jLIwz entropy: 7.99462833027	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer.kZd6jLIwz entropy: 7.99569910214	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel.kZd6jLIwz entropy: 7.99535122519	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer.kZd6jLIwz entropy: 7.99392611384	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools.kZd6jLIwz entropy: 7.99550887738	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App.kZd6jLIwz entropy: 7.99575224475	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe.kZd6jLIwz entropy: 7.99540715086	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MSEdge.kZd6jLIwz entropy: 7.99481120989	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog.kZd6jLIwz entropy: 7.99513027448	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App.kZd6jLIwz entropy: 7.99445572812	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.kZd6jLIwz entropy: 7.99542044303	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe.kZd6jLIwz entropy: 7.99567743952	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe.kZd6jLIwz entropy: 7.99453699242	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.kZd6jLIwz entropy: 7.99495672881	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe.kZd6jLIwz entropy: 7.99502118481	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe.kZd6jLIwz entropy: 7.99465147905	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe.kZd6jLIwz entropy: 7.99569510728	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe.kZd6jLIwz entropy: 7.99463264698	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe.kZd6jLIwz entropy: 7.99464874896	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe.kZd6jLIwz entropy: 7.99550873446	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe.kZd6jLIwz entropy: 7.99505289123	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe.kZd6jLIwz entropy: 7.99447542688	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe.kZd6jLIwz entropy: 7.9947430509	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc.kZd6jLIwz entropy: 7.99544654027	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe.kZd6jLIwz entropy: 7.99512581065	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe.kZd6jLIwz entropy: 7.99475432434	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.kZd6jLIwz entropy: 7.99569765261	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe.kZd6jLIwz entropy: 7.99458353054	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe.kZd6jLIwz entropy: 7.99471681339	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe.kZd6jLIwz entropy: 7.99465507322	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc.kZd6jLIwz entropy: 7.99496994215	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe.kZd6jLIwz entropy: 7.9947342424	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.kZd6jLIwz entropy: 7.99402821541	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.kZd6jLIwz entropy: 7.99557890385	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.kZd6jLIwz entropy: 7.99430835507	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.kZd6jLIwz entropy: 7.99618659133	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.kZd6jLIwz entropy: 7.99421459035	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.kZd6jLIwz entropy: 7.99391676944	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.kZd6jLIwz entropy: 7.99647406611	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.kZd6jLIwz entropy: 7.99608561191	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.kZd6jLIwz entropy: 7.99509943836	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.kZd6jLIwz entropy: 7.99401181452	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79.kZd6jLIwz entropy: 7.99742212477	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4.kZd6jLIwz entropy: 7.99154559317	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4.kZd6jLIwz entropy: 7.99095702593	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\C5FD1F724F49F95970FE8CD30C20519BF4582045.kZd6jLIwz entropy: 7.99860688566	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.kZd6jLIwz entropy: 7.99017281948	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F.kZd6jLIwz entropy: 7.9955367358	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\E707EC8A256322E87908664A49F800B7B48E0961.kZd6jLIwz entropy: 7.99073920348	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\E557A7C6ADAC24EDE9B88CACC662B8A371C1931D.kZd6jLIwz entropy: 7.99673880111	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.kZd6jLIwz entropy: 7.9915300862	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.kZd6jLIwz entropy: 7.99654780243	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\14645.kZd6jLIwz entropy: 7.99541544669	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\index.kZd6jLIwz entropy: 7.99928197778	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1.kZd6jLIwz entropy: 7.99930631339	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\index.kZd6jLIwz entropy: 7.99924656929	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.kZd6jLIwz entropy: 7.99929530778	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.kZd6jLIwz entropy: 7.99936441339	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index.kZd6jLIwz entropy: 7.99929728515	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm.kZd6jLIwz entropy: 7.99451929938	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.kZd6jLIwz entropy: 7.99853102707	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe.kZd6jLIwz entropy: 7.99557202315	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe.kZd6jLIwz entropy: 7.99455051294	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe.kZd6jLIwz entropy: 7.99480537174	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe.kZd6jLIwz entropy: 7.99574752423	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Adobe_Acrobat DC_Acrobat_Acrobat_exe.kZd6jLIwz entropy: 7.99439451392	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe.kZd6jLIwz entropy: 7.99502395244	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm.kZd6jLIwz entropy: 7.99435731417	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.kZd6jLIwz entropy: 7.99486593624	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.kZd6jLIwz entropy: 7.99579522223	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe.kZd6jLIwz entropy: 7.99549903127	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe.kZd6jLIwz entropy: 7.99504688679	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe.kZd6jLIwz entropy: 7.99528803523	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe.kZd6jLIwz entropy: 7.99468779606	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe.kZd6jLIwz entropy: 7.99562131905	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras.kZd6jLIwz entropy: 7.99487928885	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples.kZd6jLIwz entropy: 7.99486688171	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm.kZd6jLIwz entropy: 7.99553413548	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm.kZd6jLIwz entropy: 7.99577248057	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe.kZd6jLIwz entropy: 7.99456548245	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe.kZd6jLIwz entropy: 7.9957579802	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt v3 Website_url.kZd6jLIwz entropy: 7.9955102908	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre-1_8_bin_javacpl_exe.kZd6jLIwz entropy: 7.99600337201	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs.kZd6jLIwz entropy: 7.99967097263	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log.kZd6jLIwz entropy: 7.999638971	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs.kZd6jLIwz entropy: 7.99963721654	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe.kZd6jLIwz entropy: 7.99536600874	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.kZd6jLIwz entropy: 7.9958197686	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log.kZd6jLIwz entropy: 7.99967239048	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.kZd6jLIwz entropy: 7.99713942466	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.kZd6jLIwz entropy: 7.99457451821	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\Document.doc.scr entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\AAAAAAAAAAAAAAAA (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\BBBBBBBBBBBBBBBB (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\CCCCCCCCCCCCCCCC (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\DDDDDDDDDDDDDDDD (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\EEEEEEEEEEEEEEEE (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\FFFFFFFFFFFFFFFF (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\GGGGGGGGGGGGGGGG (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\HHHHHHHHHHHHHHHH (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\IIIIIIIIIIIIIIII (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\JJJJJJJJJJJJJJJJ (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\KKKKKKKKKKKKKKKK (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\LLLLLLLLLLLLLLLL (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\MMMMMMMMMMMMMMMM (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\NNNNNNNNNNNNNNNN (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\OOOOOOOOOOOOOOOO (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\PPPPPPPPPPPPPPPP (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\QQQQQQQQQQQQQQQQ (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\RRRRRRRRRRRRRRRR (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\SSSSSSSSSSSSSSSS (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\TTTTTTTTTTTTTTTT (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\UUUUUUUUUUUUUUUU (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\VVVVVVVVVVVVVVVV (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\WWWWWWWWWWWWWWWW (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\XXXXXXXXXXXXXXXX (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\YYYYYYYYYYYYYYYY (copy) entropy: 7.99748731788	Jump to dropped file
Source: C:\ProgramData\D4EC.tmp	File created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZZZ (copy) entropy: 7.99748731788	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: Document.doc.scr, type: SAMPLE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.0.Document.doc.scr.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document.doc.scr

Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_00402760 CreateFileW,ReadFile,NtClose,	8_2_00402760
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	8_2_0040286C
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,	8_2_00402F18
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_00401DC2 NtProtectVirtualMemory,	8_2_00401DC2
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_00401D94 NtSetInformationThread,	8_2_00401D94
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	8_2_004016B4

Source: C:\Windows\splwow64.exe

File created: C:\Windows\system32\spool\PRINTERS\00002.SPL

Source: C:\Users\user\Desktop\Document.doc.scr

Process token adjusted: Security

Source: Document.doc.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Document.doc.scr, type: SAMPLE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.0.Document.doc.scr.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18

Source: classification engine

Classification label: mal100.rans.phis.spyw.evad.winSCR@9/1690@0/0

Source: C:\Users\user\Desktop\Document.doc.scr

File created: C:\Users\kZd6jLIwz.README.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\ProgramData\D4EC.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
Source: C:\Users\user\Desktop\Document.doc.scr	Mutant created: \Sessions\1\BaseNamedObjects\Global\559f5d4bd4c12afc7974358d21edb1f1

Source: C:\Users\user\Desktop\Document.doc.scr

File created: C:\Users\user\AppData\Local\Temp\kZd6jLIwz.README.txt

Jump to behavior

Source: C:\Windows\splwow64.exe

File read: C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-manifest.ini

Source: C:\Users\user\Desktop\Document.doc.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document.doc.scr	ReversingLabs: Detection: 71%
Source: Document.doc.scr	Virustotal: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\Document.doc.scr "C:\Users\user\Desktop\Document.doc.scr" /S
Source: C:\Users\user\Desktop\Document.doc.scr	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\Document.doc.scr	Process created: C:\ProgramData\D4EC.tmp "C:\ProgramData\D4EC.tmp"
Source: C:\ProgramData\D4EC.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{082B68BB-AD41-4487-9321-7D0501AE003B}.xps" 133583950932070000
Source: C:\Users\user\Desktop\Document.doc.scr	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process created: C:\ProgramData\D4EC.tmp "C:\ProgramData\D4EC.tmp"	Jump to behavior
Source: C:\ProgramData\D4EC.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL

Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: adsldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\D4EC.tmp	Section loaded: apphelp.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: ncrypt.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: ntasn1.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: windows.storage.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: wldp.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: uxtheme.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: propsys.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: profapi.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: edputil.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: urlmon.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: iertutil.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: srvcli.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: netutils.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: sspicli.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: wintypes.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: appresolver.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: bcp47langs.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: slc.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: userenv.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: sppc.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\D4EC.tmp	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Users\user\Desktop\Document.doc.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr

File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: Document.doc.scr

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Document.doc.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2n source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.kZd6jLIwz source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068373022.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067060328.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.kZd6jLIwz source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: Document.doc.scr, 00000000.00000003.2064531991.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059520677.000000000111C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ownload.errorIwz+ source: Document.doc.scr, 00000000.00000003.2074121235.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.kZd6jLIwzg source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068373022.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067060328.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*# source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\kZd6jLIwz.README.txt`/ source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Document.doc.scr, 00000000.00000003.2064531991.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068087626.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068615252.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059520677.000000000111C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\kZd6jLIwz.README.txtb source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2n source: Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831s source: Document.doc.scr, 00000000.00000003.2064531991.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068087626.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2071652569.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2068615252.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2071891357.000000000111C000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059520677.000000000111C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\kZd6jLIwz.README.txt source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Zd6jLIwz.README.txtz source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorzg1 source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Zd6jLIwz.README.txtson source: Document.doc.scr, 00000000.00000003.2074121235.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2075417986.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2077533300.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076804926.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2074863636.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076053252.0000000001136000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.kZd6jLIwzxt source: Document.doc.scr, 00000000.00000003.2074121235.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2075417986.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067461982.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2067956854.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076804926.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2074863636.0000000001134000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2069566644.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2076053252.0000000001136000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Zd6jLIwz.README.txt@ source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Zd6jLIwz.README.txt5 source: Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2059014906.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\g source: Document.doc.scr, 00000000.00000003.2061297414.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061842245.0000000001154000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: Document.doc.scr, 00000000.00000003.2061842245.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2061297414.0000000001137000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\kZd6jLIwz.README.txt source: Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2062462577.0000000001238000.00000004.00000020.00020000.00000000.sdmp

Source: Document.doc.scr

Static PE information: real checksum: 0x30e46 should be: 0x36685

Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Videos\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Searches\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Saved Games\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Recent\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Pictures\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Pictures\Saved Pictures\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Pictures\Camera Roll\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\OneDrive\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Music\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Links\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Favorites\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Favorites\Links\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Downloads\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\ZGGKNSUKOP\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\UNKRLCVOHV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\NYMMPCEIMA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\NVWZAPQSQL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\JDDHMPCDUJ\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\HMPPSXQPQV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\GRXZDKKVDB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\EOWRVPQCCS\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Documents\EFOYFBOLXA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\ZGGKNSUKOP\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\UNKRLCVOHV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\NYMMPCEIMA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\NVWZAPQSQL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\JDDHMPCDUJ\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\HMPPSXQPQV\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\GRXZDKKVDB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\EOWRVPQCCS\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Desktop\EFOYFBOLXA\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\Contacts\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\dd432c4a-ba38-4070-9985-ed1b3bea85dc\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\VirtualStore\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_761252224\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_1791500899\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_2640_817343797\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Low\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_995017740\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_778675694\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_736602331\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_649288342\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_339006160\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_27162369\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1988346647\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1959985254\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1807723660\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1693012001\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1635976352\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1619438387\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1485273224\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1421574262\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1318414972\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1289371347\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1234978473\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1191663050\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1090636871\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\SolidDocuments\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\PeerDistRepub\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{99fff775-938d-4e2c-9c06-5d56107a5383}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2737c7bb-35fb-4b44-baf9-033ca587595d}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91a05a-d98f-4429-81a9-272df0335447}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{de0f148a-c476-467a-b7a3-14b0bb463140}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{880da644-c864-4aed-9e06-5b089e06c09e}\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\kZd6jLIwz.README.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\ProgramData\D4EC.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL
Source: C:\ProgramData\D4EC.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: doc.scr

Static PE information: Document.doc.scr

Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D4EC.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\ProgramData\D4EC.tmp

Code function: 8_2_00401E28

8_2_00401E28

Source: C:\ProgramData\D4EC.tmp

Code function: 8_2_00401E28 rdtsc

8_2_00401E28

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_0040227C FindFirstFileExW,		8_2_0040227C
Source: C:\ProgramData\D4EC.tmp	Code function: 8_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,		8_2_0040152C

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior

Source: Document.doc.scr, 00000000.00000003.2132078796.00000000011A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hyper-v:wux:hyper-v~
Source: Document.doc.scr, 00000000.00000003.2067796880.0000000001186000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 14:08:59.672EXCEL (0x145C)0x7E8Microsoft ExcelTelemetry Eventb7vzqMediumSendEvent {"EventName":"Office.System.SystemHealthMetadataDeviceConsolidated","Flags":33777031581908737,"InternalSequenceNumber":149,"Time":"2023-10-04T14:08:57.331Z","Rule":"120600.4","Contract":"Office.Legacy.Metadata","Data.ProcTypeText":"x64","Data.ProcessorCount":2,"Data.NumProcShareSingleCore":1,"Data.NumProcShareSingleCache":1,"Data.NumProcPhysCores":2,"Data.ProcSpeedMHz":2000,"Data.IsLaptop":false,"Data.IsTablet":false,"Data.RamMB":4096,"Data.PowerPlatformRole":1,"Data.SysVolSizeMB":50000,"Data.DeviceManufacturer":"VMWare, Inc.","Data.DeviceModel":"VMware20,1","Data.DigitizerInfo":0,"Data.SusClientId":"097C77FB-5D5D-4868-860B-09F4E5B50A53","Data.WindowsSqmMachineId":"92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","Data.ComputerSystemProductUuidHash":"LFm9Ltrk4S277wbAA8Obddw+Rm4=","Data.DeviceProcessorModel":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","Data.HasSpectreFix":true,"Data.BootDiskType":"SSD"}
Source: Document.doc.scr, 00000000.00000003.2057593273.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 15:50:56.369OFFICECL (0xe04)0x250Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 551, "Time": "2023-10-04T13:50:46Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "LFm9Ltrk4S277wbAA8Obddw+Rm4=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}

Source: C:\Users\user\Desktop\Document.doc.scr

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Document.doc.scr	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\D4EC.tmp	Thread information set: HideFromDebugger

Source: C:\ProgramData\D4EC.tmp

Code function: 8_2_00401E28 rdtsc

8_2_00401E28

Source: C:\ProgramData\D4EC.tmp

Code function: 8_2_00401474 LdrLoadDll,

8_2_00401474

Source: C:\Users\user\Desktop\Document.doc.scr	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Document.doc.scr

Memory written: C:\ProgramData\D4EC.tmp base: 401000

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr	Process created: C:\ProgramData\D4EC.tmp "C:\ProgramData\D4EC.tmp"			Jump to behavior
Source: C:\ProgramData\D4EC.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL

Source: C:\ProgramData\D4EC.tmp

Code function: 8_2_00401E28 cpuid

8_2_00401E28

Source: C:\ProgramData\D4EC.tmp

Code function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,

8_2_00403983

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\kZd6jLIwz.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\kZd6jLIwz.README.txt	Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\43bb9a55-74a2-452e-8233-6899a7f737b0.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.86be03dd-6b03-42f5-89cd-4606f43d25ad.health.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\xulstore.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\3c7034d6-bc52-43bb-9a23-5da34ee205e0.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835635.a669692a-f9c9-42c0-a803-7b87d3ff5834.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\b8f053a5-de16-4a2c-8120-1ab4aadd63e8	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\events.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.01c0ecdb-8e59-4210-95f1-0fd0406e84ad.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840708.3c7034d6-bc52-43bb-9a23-5da34ee205e0.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.01c0ecdb-8e59-4210-95f1-0fd0406e84ad.event.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\3c7034d6-bc52-43bb-9a23-5da34ee205e0	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\times.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\session-state.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extension-preferences.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\state.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\AlternateServices.txt.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\previous.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\7755ad51-2370-4623-9d21-15c89f2143db.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\containers.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\search.json.mozlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\background-update.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835635.a669692a-f9c9-42c0-a803-7b87d3ff5834.new-profile.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\.metadata-v2.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\43bb9a55-74a2-452e-8233-6899a7f737b0	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840748.a8c1f564-c2e2-4ef8-a85f-52a56488f193.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835643.9a3c31ca-35e4-421e-91e1-5f7b9bd27492.event.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\7755ad51-2370-4623-9d21-15c89f2143db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\SiteSecurityServiceState.txt.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835643.9a3c31ca-35e4-421e-91e1-5f7b9bd27492.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.86be03dd-6b03-42f5-89cd-4606f43d25ad.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840708.3c7034d6-bc52-43bb-9a23-5da34ee205e0.health.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\b8f053a5-de16-4a2c-8120-1ab4aadd63e8.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\ae04dde8-69a1-49f8-95f1-d533ed587ff6	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\handlers.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\times.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\ae04dde8-69a1-49f8-95f1-d533ed587ff6.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840748.a8c1f564-c2e2-4ef8-a85f-52a56488f193.main.jsonlz4.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\shield-preference-experiments.json.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.kZd6jLIwz	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	111 Masquerading	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Browser Session Hijacking	Data Obfuscation	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	122 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document.doc.scr	71%	ReversingLabs	Win32.Ransomware.Lockbit
Document.doc.scr	79%	Virustotal		Browse
Document.doc.scr	100%	Avira	BDS/ZeroAccess.Gen7
Document.doc.scr	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://tox.chat/	0%	Avira URL Cloud	safe
https://tox.chat/	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/ui.win32.js.map/d6bb35bc608af2672a5b746ba	Document.doc.scr, 00000000.00000003.2058198747.0000000001238000.00000004.00000020.00020000.00000000.sdmp	false		high
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429	Document.doc.scr, 00000000.00000003.2058457962.0000000001154000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tox.chat/	Document.doc.scr, 00000000.00000003.2061156800.0000000001238000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2092684104.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2019781196.0000000001156000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2119320978.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2103612240.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2122420148.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2123563496.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2035440830.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2020875656.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2128470332.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2097170059.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2096070849.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2094172163.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2033390092.0000000001126000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2033154751.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2106278279.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2128740161.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2122743679.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2096396555.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2119133098.0000000001137000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2128345601.0000000001137000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.windows.net	App1713921509308663900_6D1069C2-A1FE-4969-8A18-9CD73AF4AF15.log.11.dr	false		high
https://github.com/react-native-community/react-native-netinfo	Document.doc.scr, 00000000.00000003.2058198747.0000000001238000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	Document.doc.scr, 00000000.00000003.2032462071.0000000001230000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr, 00000000.00000003.2032462071.0000000001228000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients3.google.com/generate_204	Document.doc.scr, 00000000.00000003.2058198747.0000000001238000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefox	Document.doc.scr, 00000000.00000003.2032462071.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	Document.doc.scr, 00000000.00000003.2032462071.0000000001238000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430701
Start date and time:	2024-04-24 03:16:49 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document.doc.scr
Detection:	MAL
Classification:	mal100.rans.phis.spyw.evad.winSCR@9/1690@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 18 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .scr

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, printfilterpipelinesvc.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.109.0.140, 52.113.194.132, 20.190.190.194, 20.190.190.195, 40.126.62.130, 20.190.190.130, 20.190.190.193, 40.126.62.131, 20.190.190.131, 20.190.190.196, 23.40.26.94, 20.42.65.93
Excluded domains from analysis (whitelisted): onedscolprdeus20.eastus.cloudapp.azure.com, slscr.update.microsoft.com, osiprod-wus-buff-azsc-000.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, wus-azsc-000.roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, us2.roaming1.live.com.akadns.net, www.tm.v4.a.prd.aadg.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficma
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:18:12	API Interceptor	109x Sleep call for process: splwow64.exe modified

Process:	C:\Users\user\Desktop\Document.doc.scr
File Type:	data
Category:	dropped
Size (bytes):	129
Entropy (8bit):	6.516851770843267
Encrypted:	false
SSDEEP:	3:xWaxz4ePINryyrFS56ru4gkJFrXNWwnArwnF:xWu6rfIkK4gcLw/ry
MD5:	B99A6BF325A5F793534CB3615DF7EB4B
SHA1:	570E800DC7DA22ABE9B997F531853BA322447C8B
SHA-256:	AE9E1A65E45E123C42D9513F7E7C346A93597E8EBE7F644CA510FC90B85CC2C1
SHA-512:	7182DDE6D8CFFCBCB3C1C2BB09F8E894F10697EC86C5B817A1B3AF49158813D505BF09F299757B3B4C3D4B12ACB7C742B30C61179F7A2575624EE2DA10D301C8
Malicious:	false
Reputation:	low
Preview:	s.....87.F.]..Q".........v...i....G......D.r.e......r%YP....vS...."..o+.(.C(n./......7...\|....#6..6......?...q.9......=...(

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166203
Entropy (8bit):	5.34090039139375
Encrypted:	false
SSDEEP:	1536:n+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6g:GIQ9DQA+zqzMXeMJ
MD5:	642FDE57619F386F5706FC2117008DA0
SHA1:	62F5C8A7C912DB8CA06C9A582843D9950D8B977F
SHA-256:	228E700F9692D6BD7EFFE5739B0F58C9B675385ACF13C339457784A8A74B5C09
SHA-512:	49A0C157BA8C860B263ACFF18F930B8E432DE063ED677982B175AB04EFE7277E248612677876143D2B57B61452680C70B917C71F414EF3A1364C05D66035DE01
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-24T01:18:31">.. Build: 16.0.17609.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

Process:	C:\ProgramData\D4EC.tmp
File Type:	data
Category:	dropped
Size (bytes):	199168
Entropy (8bit):	7.997487317877989
Encrypted:	true
SSDEEP:	3072:qbqUIEMkwhHl7rputzobqUIEMkwhHl7rputzobqUIEMkwhHl7rputzT:0IkiF7rGqIkiF7rGqIkiF7rGT
MD5:	6FEF3B299CF5F1B118871E0823209963
SHA1:	2437C2B1239346C790BBAC29E87F04A0E4DF4B8D
SHA-256:	CFEA8EDFDC9EB5274942D05E6572DF31B673B27184DDBB1789C328A9DDC3BD01
SHA-512:	B31AC0732DEFCEFE87FA2D0805BF3FD2887D49C2D5C541CBEFC33600FA3661F7656E892F9778C0BBCD38F2F8D4D4FE2156D860B55E2C4BDC4B9CA9E82305FC68
Malicious:	true
Preview:	....=.....0.o..n....D..M_y._vvY...d.$........qb.E.\..+..b.~.l\|Q..q..\|V..N...mq.!.C.....m0txt.."....0.h.!p=x._?..a1...5.r...3..y.......TO....\|c..P...6HS...Ht..3..!....,@`'.E,L.gyC..a..'...o#.....l...jK..XMg...2....J..v,.8.."..H......l..'.d...j.1......H%.^...4.mg."......hRE.{.?...........<g....Z2<..o<9.uD.:h>.n...D.8.u.b.eS....3.,..#.&I6.z.,..!...{mT.....(^lC....e.{.....L...tz1.#..B....6.%\.4=y.....,.......).h.f(.m..\|.e.j\|.2....<.."'1..q........H.7e..A........H..P4.....V~.S.g.m.}..\...x .d.o.9.?....o.....4.w..z.... .z....>.?..$.;.g....\|v..7.)R.....]....WY]k w.2\P....p.5...Q~.....g..<;.g..-.....g..g.o...7.b..:...Z<....).9E.'.l^......A.'......... ...w-.px.M.^3_J.cA.;...m...H.....p....7B...s..G..&.eX5..CD...8`<.q..D.z.z.9]d..:.N1..p.c.a.jA....y.v......[..7.2.8;..&..f...p.....b.s{....l.3Io..t..\`.'......P;y.....t.V.....Z,...4 d../......%aQ^2..'V.......K....P.f.d.^...........aw.3....f-..#.6"..T...N/u.....R.r..DKw,..........U9...../.U

Process:	C:\Windows\splwow64.exe
File Type:	Microsoft OOXML
Category:	dropped
Size (bytes):	13666543
Entropy (8bit):	7.892353289329497
Encrypted:	false
SSDEEP:	393216:snEk1Vuj5du9k+pai4xCWAOqNDZizSTn3LXReXOuUbIBpu8vE/ws3:bvHMp
MD5:	86B93B198634BE5CF3EBF328E34B5424
SHA1:	0411B43F167484186A24D2947864FEA8DA1F1781
SHA-256:	B1F17F1D2BD4F309245521BD3A94FF0FD583028AA55916C213988C96817331CD
SHA-512:	CF6E619FA39AF6BAEE0EE9F16C525CDAD2C29EF38757DF0584365CF430535692E83AD22998C057A2BB814119F6F6D6BCC33DA804B8AC6B1AD681BD58F7DA6FE8
Malicious:	false
Preview:	PK........G..X................[Content_Types].xml/[0].piece.....0..W..o.x .....e.(....Ql!..<...S^.MMw....#Nr.9....p..:..J.z..`3..DM....T.n..J..-c...3....&a#......PK....X.j...q...PK........G..X................[Content_Types].xml/[1].piece..1..0....eE$....{e.C.&..X.........H\., .....o.T..i.."...K.s..4..VW...i+.Ak.....}....\.+..O?PK..K..jb...l...PK........G..X................_rels/.rels/[0].pieceM.A..!.E.B.w...1.....9@...C!...?,].......f..4.qp.,.._^I...y?\`.....Cc.jF". .^...#g.T.A.e.c.........3.....PK...BpJl...y...PK........G..X................_rels/.rels/[1].piece..K..0....9@&.....nk/.....O3S...s....L/'.UN...'.......P....UO:....=X......B..gD...c]...[..[..3..9.9a.... .....N.PK..4...u.......PK........G..X................[Content_Types].xml/[2].piece-.A.. .F....p.u.q.&....!...m..[.n_^..kA.......>\|.......f....`........}..F..(v.6.t...0-.n.C\|@.N-.Z...PK....[Pm...{...PK........G..X............%...FixedDocumentSequence.fdseq/[0].pieceU.M..0.F..fo&.....H.`..2.....H.o..p

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	4.186704345910024
Encrypted:	false
SSDEEP:	3:otlUyn:otn
MD5:	122353F41CD064B36DDAC43F8FC590C2
SHA1:	B86E515C499C9747637FE220DF20321C5E709CEA
SHA-256:	92E6FF1A20F14A130F0C6348A5C8D39CBD2FB0F2F25C66C619CAECAD2BA7492D
SHA-512:	C9C69518CD31B295E7D2892732831585D17DD56D24EE5B46A9978F39C4D1DCE4BAD18DD82B4E6E35414D8E2A0CFEEB64E80D71D0BFFE05AF76DCC2DC77210F29
Malicious:	false
Preview:	C:\PROGRA~3\D4EC.tmp..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.772003068492061
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Document.doc.scr
File size:	199'168 bytes
MD5:	ae811bd6440b425e6777f0ca001a9743
SHA1:	70902540ead269971e149eaff568fb17d04156af
SHA256:	86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498
SHA512:	3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e
SSDEEP:	3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm
TLSH:	68145B21F246A8F3C42324F52A32E53173AA9F2D1D6D180FEAB53F4A68725D32B15D47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..c............................o.............@..........................P......F.....@...........@....................

Entrypoint:	0x41946f
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x631A9665 [Fri Sep 9 01:27:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	41fb8cb2943df6de998b35a9d28668e8

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a230	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0xc160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34000	0xfd0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a120	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17de8	0x17e00	cfbda2c44e51b3b0b00bcbbc767c62a2	False	0.48375122709424084	data	6.634079266913224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x19000	0x546	0x600	6f4cd57381bb5584c0a0755384d25180	False	0.251953125	data	2.9337361310958805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x492	0x600	bd829aa493ecd52fe5bec776d207f206	False	0.3671875	data	3.5366359784052652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0xadc8	0xa000	7058dded90f7b91caeb0f8538fe66fc2	False	0.9826416015625	SysEx File -	7.9885847715103475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x26000	0x89f	0xa00	6f11c5fa5120ac94794cd017561d1cab	False	0.8859375	data	7.3675444501797145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27000	0xc160	0xc200	0498258b0cc68156e1295f5d17bb63e6	False	0.22473018685567012	data	4.478609900548174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34000	0xfd0	0x1000	3f87e4c23650dfad0bee7da98889ba94	False	0.843505859375	GLS_BINARY_LSB_FIRST	6.738987246879603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x271f0	0x176d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9296314824078706
RT_ICON	0x28960	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.0973665564478035
RT_ICON	0x2cb88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.13340248962655601
RT_ICON	0x2f130	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	0.16715976331360946
RT_ICON	0x30b98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.20309568480300189
RT_ICON	0x31c40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.2721311475409836
RT_ICON	0x325c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	0.34244186046511627
RT_ICON	0x32c80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.41932624113475175
RT_GROUP_ICON	0x330e8	0x76	data	0.7457627118644068

DLL	Import
gdi32.dll	SetPixel, SetDCBrushColor, SelectPalette, GetTextColor, GetDeviceCaps, CreateSolidBrush
USER32.dll	DefWindowProcW, CreateMenu, EndDialog, GetDlgItem, GetKeyNameTextW, GetMessageW, GetWindowTextW, IsDlgButtonChecked, LoadImageW, LoadMenuW, DialogBoxParamW
KERNEL32.dll	SetLastError, LoadLibraryW, GetTickCount, GetLastError, GetCommandLineW, GetCommandLineA, FreeLibrary

Target ID:	0
Start time:	03:17:37
Start date:	24/04/2024
Path:	C:\Users\user\Desktop\Document.doc.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document.doc.scr" /S
Imagebase:	0xd40000
File size:	199'168 bytes
MD5 hash:	AE811BD6440B425E6777F0CA001A9743
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000000.2009802642.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	03:18:24
Start date:	24/04/2024
Path:	C:\ProgramData\D4EC.tmp
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\D4EC.tmp"
Imagebase:	0x400000
File size:	14'336 bytes
MD5 hash:	294E9F64CB1642DD89229FFF0592856B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	9
Start time:	03:18:25
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D4EC.tmp >> NUL
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	32.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.1%
Total number of Nodes:	160
Total number of Limit Nodes:	1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document.doc.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\AAAAAAAAAAA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\BBBBBBBBBBB (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\CCCCCCCCCCC (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\DDDDDDDDDDD (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\EEEEEEEEEEE (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\FFFFFFFFFFF (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\GGGGGGGGGGG (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HHHHHHHHHHH (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\IIIIIIIIIII (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\JJJJJJJJJJJ (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\KKKKKKKKKKK (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\LLLLLLLLLLL (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\MMMMMMMMMMM (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\NNNNNNNNNNN (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\OOOOOOOOOOO (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\PPPPPPPPPPP (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\QQQQQQQQQQQ (copy)

Windows Analysis Report
Document.doc.scr

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre