Edit tour

Windows Analysis Report
Document.doc.scr.exe

Overview

General Information

Sample name:	Document.doc.scr.exe
Analysis ID:	1431429
MD5:	50e5dec57451005668704281688ca55d
SHA1:	67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
SHA256:	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
Tags:	exe
Infos:

Detection

LockBit ransomware, TrojanRansom

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected LockBit ransomware

Yara detected TrojanRansom

Changes the wallpaper picture

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Deletes itself after installation

Found Tor onion address

Found potential ransomware demand text

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

Sample has a suspicious name (potential lure to open the executable)

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes many files with high entropy

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Enables security privileges

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Document.doc.scr.exe (PID: 3720 cmdline: "C:\Users\user\Desktop\Document.doc.scr.exe" MD5: 50E5DEC57451005668704281688CA55D)

splwow64.exe (PID: 5996 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

2172.tmp (PID: 3836 cmdline: "C:\ProgramData\2172.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)

cmd.exe (PID: 3092 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ONENOTE.EXE (PID: 2284 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{EA82EC72-B970-44A4-8C1B-42CD300B85FB}.xps" 133584884697420000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Document.doc.scr.exe	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Document.doc.scr.exe	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000003.2457278883.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Document.doc.scr.exe PID: 3720	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Document.doc.scr.exe PID: 3720	JoeSecurity_TrojanRansom	Yara detected TrojanRansom	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Document.doc.scr.exe.930000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.2.Document.doc.scr.exe.930000.0.unpack	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
0.0.Document.doc.scr.exe.930000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.0.Document.doc.scr.exe.930000.0.unpack	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\Qs2QSInbk.bmp, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Document.doc.scr.exe, ProcessId: 3720, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Document.doc.scr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	Avira URL Cloud: Label: malware
Source: http://lockbitapt.uz	Avira URL Cloud: Label: malware
Source: http://lockbitsupp.uz	Avira URL Cloud: Label: malware
Source: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	Avira URL Cloud: Label: malware
Source: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	Virustotal: Detection: 12%	Perma Link
Source: http://lockbitapt.uz	Virustotal: Detection: 11%	Perma Link
Source: http://lockbitsupp.uz	Virustotal: Detection: 8%	Perma Link
Source: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	Virustotal: Detection: 8%	Perma Link
Source: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for submitted file

Source: Document.doc.scr.exe

Virustotal: Detection: 77%

Perma Link

Machine Learning detection for sample

Source: Document.doc.scr.exe

Joe Sandbox ML: detected

Source: Document.doc.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Videos\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Searches\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Saved Games\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Recent\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Saved Pictures\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Camera Roll\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\OneDrive\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Music\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Links\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\Links\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Downloads\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ZGGKNSUKOP\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\UNKRLCVOHV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\QFAPOWPAFG\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\NYMMPCEIMA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\NVWZAPQSQL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\LHEPQPGEWF\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\JDDHMPCDUJ\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\HMPPSXQPQV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\GRXZDKKVDB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\EOWRVPQCCS\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\EFOYFBOLXA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\BJZFPPWAPT\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ZGGKNSUKOP\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\UNKRLCVOHV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\QFAPOWPAFG\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\NYMMPCEIMA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\NVWZAPQSQL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\LHEPQPGEWF\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\JDDHMPCDUJ\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\HMPPSXQPQV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\GRXZDKKVDB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\EOWRVPQCCS\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\EFOYFBOLXA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\BJZFPPWAPT\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Contacts\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\dd432c4a-ba38-4070-9985-ed1b3bea85dc\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\VirtualStore\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_761252224\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_1791500899\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_2640_817343797\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Low\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_995017740\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_778675694\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_736602331\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_649288342\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_339006160\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_27162369\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1988346647\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1959985254\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1807723660\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1693012001\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1635976352\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1619438387\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1485273224\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1421574262\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1318414972\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1289371347\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1234978473\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1191663050\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1090636871\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PeerDistRepub\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{99fff775-938d-4e2c-9c06-5d56107a5383}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2737c7bb-35fb-4b44-baf9-033ca587595d}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91a05a-d98f-4429-81a9-272df0335447}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{de0f148a-c476-467a-b7a3-14b0bb463140}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c23bcd39-6fcf-4e41-add1-0231129b23be}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior

Source: Document.doc.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*6 source: Document.doc.scr.exe, 00000000.00000003.2057742422.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2062343931.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2059377065.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058777627.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058937804.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr.exe, 00000000.00000003.2258783246.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2276164348.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2255923512.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2107881841.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2261471485.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2076076908.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2111760133.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103731468.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2105203218.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2106190276.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2092103152.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2116474466.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2119600876.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103049713.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090960096.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090386296.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2369872444.0000000001055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*WI source: Document.doc.scr.exe, 00000000.00000003.2076076908.0000000001055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Document.doc.scr.exe, 00000000.00000003.2057742422.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2062343931.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2059377065.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2073299919.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058777627.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2075467271.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2075677088.000000000107D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058937804.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: Document.doc.scr.exe, 00000000.00000003.2053393457.0000000001067000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.Qs2QSInbk source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbSt source: Document.doc.scr.exe, 00000000.00000003.2258783246.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2276164348.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2255923512.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2107881841.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2261471485.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2076076908.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2111760133.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103731468.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2105203218.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2106190276.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2092103152.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2116474466.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2119600876.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103049713.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090960096.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090386296.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2369872444.0000000001055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.Qs2QSInbk source: Document.doc.scr.exe, 00000000.00000003.2066471035.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2068848310.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2053996337.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2069805491.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Qs2QSInbk.README.txtu source: Document.doc.scr.exe, 00000000.00000003.2053275478.000000000107E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ownload.errort source: Document.doc.scr.exe, 00000000.00000003.2053996337.0000000001076000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Document.doc.scr.exe, 00000000.00000003.2057742422.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2062343931.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2059377065.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058777627.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058937804.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.Qs2QSInbk> source: Document.doc.scr.exe, 00000000.00000003.2053338835.0000000001117000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.Qs2QSInbk~ source: Document.doc.scr.exe, 00000000.00000003.2053338835.0000000001117000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2068688836.0000000001137000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093A094 FindFirstFileExW,FindClose,	0_2_0093A094
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009374BC FindFirstFileExW,FindNextFileW,	0_2_009374BC
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00935C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,	0_2_00935C24
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00937590 FindFirstFileExW,FindClose,	0_2_00937590
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,	0_2_0093766C
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,	0_2_0093F308
Source: C:\ProgramData\2172.tmp	Code function: 8_2_0040227C FindFirstFileExW,	8_2_0040227C
Source: C:\ProgramData\2172.tmp	Code function: 8_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,	8_2_0040152C

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_0093A470 GetLogicalDriveStringsW,

0_2_0093A470

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior

Networking

Found Tor onion address

Source: Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion]N
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion]
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion]p
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.oniong
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onional
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionic
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionic
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl2
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionedA
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionk
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionc~
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionin
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion0
Source: Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion

Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001045000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt.uz
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion0
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionic
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl2
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionc~
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionedA
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionic
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionin
Source: Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onional
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.oniong
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionk
Source: Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupp.uz
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: Document.doc.scr.exe, 00000000.00000003.2244020288.0000000001163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: App1714014880372801600_29CC7398-2A01-4DC6-A22E-768619CAA88A.log.7.dr	String found in binary or memory: https://login.windows.net
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.0000000001105000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2027366204.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tox.:
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tox.::
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056293087.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2061132357.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2065780379.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2111760133.0000000001049000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103731468.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2109489328.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2258114624.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2106881738.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2261471485.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2257598840.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2260455472.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2104352096.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2074831153.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2110837373.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103049713.0000000001012000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2107881841.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Qs2QSInbk.README.txt361.0.dr, Qs2QSInbk.README.txt180.0.dr, Qs2QSInbk.README.txt445.0.dr, Qs2QSInbk.README.txt409.0.dr	String found in binary or memory: https://tox.chat/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.0000000001105000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2027366204.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Document.doc.scr.exe, 00000000.00000003.2244254218.0000000001163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/logos/social/tiktok-white.599403de7ac0.svg
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Document.doc.scr.exe, 00000000.00000003.2244254218.0000000001163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/js/sentry.2b64d2b46e8a.js
Source: Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\Packages\Microsoft.Wallet_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt

Dropped file: !! ALL YOUR FILES ARE ENCRYPTED !!!You can't restore them without our decryptor.Don't try to use any public tools, you could damage the files and lose them forever.To make sure our decryptor works, contact us and decrypt one file for free.Download TOX messenger: https://tox.chat/Add friend in TOX, ID: 36F186C6FDCAAC0CF122E234B5D15F3F42F73568745F251C1306D71EBCA96817770F9B9AC2E6

Jump to dropped file

Yara detected LockBit ransomware

Source: Yara match	File source: Document.doc.scr.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Document.doc.scr.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.Document.doc.scr.exe.930000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2457278883.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Document.doc.scr.exe PID: 3720, type: MEMORYSTR

Yara detected TrojanRansom

Source: Yara match

File source: Process Memory Space: Document.doc.scr.exe PID: 3720, type: MEMORYSTR

Changes the wallpaper picture

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\Qs2QSInbk.bmp

Jump to behavior

Found potential ransomware demand text

Source: Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001055000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All your important files are stolen and encrypted!

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\NVWZAPQSQL\EFOYFBOLXA.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\ZGGKNSUKOP.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\NWCXBPIUYI.mp3	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\BJZFPPWAPT\KLIZUSIQEN.pdf	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\EFOYFBOLXA\EWZCVGNOWT.png	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\appsglobals.txt.Qs2QSInbk entropy: 7.999530453	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91a05a-d98f-4429-81a9-272df0335447}\0.0.filtertrie.intermediate.txt.Qs2QSInbk entropy: 7.99470217834	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\settingsglobals.txt.Qs2QSInbk entropy: 7.99602959615	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\appssynonyms.txt.Qs2QSInbk entropy: 7.99929543556	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91a05a-d98f-4429-81a9-272df0335447}\Apps.ft.Qs2QSInbk entropy: 7.99603698648	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c23bcd39-6fcf-4e41-add1-0231129b23be}\0.0.filtertrie.intermediate.txt.Qs2QSInbk entropy: 7.99555877498	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{de0f148a-c476-467a-b7a3-14b0bb463140}\Apps.ft.Qs2QSInbk entropy: 7.99650183294	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{de0f148a-c476-467a-b7a3-14b0bb463140}\0.0.filtertrie.intermediate.txt.Qs2QSInbk entropy: 7.9956212989	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\settingssynonyms.txt.Qs2QSInbk entropy: 7.99832291913	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help.Qs2QSInbk entropy: 7.99539062709	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_.Qs2QSInbk entropy: 7.99499108204	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome.Qs2QSInbk entropy: 7.99472100209	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB;PrivateBrowsingAUMID.Qs2QSInbk entropy: 7.99485276516	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB.Qs2QSInbk entropy: 7.99400724706	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\settingsconversions.txt.Qs2QSInbk entropy: 7.99744012982	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c23bcd39-6fcf-4e41-add1-0231129b23be}\Apps.ft.Qs2QSInbk entropy: 7.99617501998	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1318414972\873489b1-33b2-480a-baa2-641b9e09edcd.Qs2QSInbk entropy: 7.99185952357	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1289371347\78549187-a875-4f1e-8dfa-9938ebc29c81.Qs2QSInbk entropy: 7.9955493004	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1234978473\1187695d-8276-4e31-8de1-9e57768989bd.Qs2QSInbk entropy: 7.99707376633	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1421574262\c50698d5-282c-4c8d-9fa6-c155f2d8d379.Qs2QSInbk entropy: 7.99953842152	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E8B84CFB-B069-BC13-F88F-170904F645E5}.Qs2QSInbk entropy: 7.9954303523	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}.Qs2QSInbk entropy: 7.99523194122	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}.Qs2QSInbk entropy: 7.99421838953	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}.Qs2QSInbk entropy: 7.99391612445	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}.Qs2QSInbk entropy: 7.99555123884	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}.Qs2QSInbk entropy: 7.99520696149	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}.Qs2QSInbk entropy: 7.9944223541	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}.Qs2QSInbk entropy: 7.99503490301	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1191663050\9e51170b-7adf-40ab-83b6-5f97b13bedcb.Qs2QSInbk entropy: 7.99905618588	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}.Qs2QSInbk entropy: 7.9955512613	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{16988324-21C9-05B2-CA60-9B4EC72739D8}.Qs2QSInbk entropy: 7.99478864523	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696428505298658900_7B05BF2A-C74F-44F8-B674-AA3F9719008B.log.Qs2QSInbk entropy: 7.99106666429	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{116229A7-9A3B-2078-DB5F-B5A20811242C}.Qs2QSInbk entropy: 7.99544101448	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.Qs2QSInbk entropy: 7.99891654605	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696428537364279100_A2018481-B961-46B4-9328-34939DEAF293.log.Qs2QSInbk entropy: 7.99906688756	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default.Qs2QSInbk entropy: 7.99497560075	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.Qs2QSInbk entropy: 7.99215658534	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{F1118828-A0CC-5FEB-85C9-DBFFDF98434A}.Qs2QSInbk entropy: 7.99543011954	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E7A33582-E908-3379-5368-5999454DCD83}.Qs2QSInbk entropy: 7.99543396629	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OUTLOOK_EXE_15.Qs2QSInbk entropy: 7.99598645533	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_ONENOTE_EXE_15.Qs2QSInbk entropy: 7.99491311144	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OcPubMgr_exe_15.Qs2QSInbk entropy: 7.99510995942	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSPUB_EXE_15.Qs2QSInbk entropy: 7.99553812245	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msoev_exe_15.Qs2QSInbk entropy: 7.99525657639	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSACCESS_EXE_15.Qs2QSInbk entropy: 7.99492277144	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_lync_exe_15.Qs2QSInbk entropy: 7.99450661874	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_EXCEL_EXE_15.Qs2QSInbk entropy: 7.99502618185	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15.Qs2QSInbk entropy: 7.99568317215	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App.Qs2QSInbk entropy: 7.99482949928	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App.Qs2QSInbk entropy: 7.99535120195	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop.Qs2QSInbk entropy: 7.99479579026	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15.Qs2QSInbk entropy: 7.99473051565	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.Qs2QSInbk entropy: 7.99555306367	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SPREADSHEETCOMPARE_EXE_15.Qs2QSInbk entropy: 7.99549089696	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_POWERPNT_EXE_15.Qs2QSInbk entropy: 7.9946460316	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32.Qs2QSInbk entropy: 7.99513536266	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer.Qs2QSInbk entropy: 7.99567966986	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel.Qs2QSInbk entropy: 7.99433428612	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer.Qs2QSInbk entropy: 7.99518365658	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools.Qs2QSInbk entropy: 7.995090363	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App.Qs2QSInbk entropy: 7.99525763885	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop.Qs2QSInbk entropy: 7.9949298655	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MSEdge.Qs2QSInbk entropy: 7.9948720056	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog.Qs2QSInbk entropy: 7.99533739937	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App.Qs2QSInbk entropy: 7.99424589779	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite.Qs2QSInbk entropy: 7.99926761851	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite.Qs2QSInbk entropy: 7.9980354342	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm.Qs2QSInbk entropy: 7.99416507223	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.Qs2QSInbk entropy: 7.99499811154	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm.Qs2QSInbk entropy: 7.99474400837	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db.Qs2QSInbk entropy: 7.99937107839	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite.Qs2QSInbk entropy: 7.99802641596	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm.Qs2QSInbk entropy: 7.99429407194	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite.Qs2QSInbk entropy: 7.99761979963	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite.Qs2QSInbk entropy: 7.99820906833	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm.Qs2QSInbk entropy: 7.99497759958	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite.Qs2QSInbk entropy: 7.99862267934	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.Qs2QSInbk entropy: 7.99350111277	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.Qs2QSInbk entropy: 7.99590646082	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.Qs2QSInbk entropy: 7.99634599189	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.Qs2QSInbk entropy: 7.9953289432	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.Qs2QSInbk entropy: 7.99634893955	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.Qs2QSInbk entropy: 7.99466243541	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.Qs2QSInbk entropy: 7.99621746015	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.Qs2QSInbk entropy: 7.9946290405	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Qs2QSInbk entropy: 7.99579574441	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.Qs2QSInbk entropy: 7.99417435465	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\62FC1E8DCE1991EEB55DE9EFADF47EA578A22AB5.Qs2QSInbk entropy: 7.99304075631	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.Qs2QSInbk entropy: 7.99381508349	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79.Qs2QSInbk entropy: 7.9972834818	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F.Qs2QSInbk entropy: 7.9948305611	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\C5FD1F724F49F95970FE8CD30C20519BF4582045.Qs2QSInbk entropy: 7.99842649706	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\E557A7C6ADAC24EDE9B88CACC662B8A371C1931D.Qs2QSInbk entropy: 7.99634144795	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.Qs2QSInbk entropy: 7.99086601599	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4.Qs2QSInbk entropy: 7.99178472417	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries\E707EC8A256322E87908664A49F800B7B48E0961.Qs2QSInbk entropy: 7.99191929839	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.Qs2QSInbk entropy: 7.99680483484	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed\14645.Qs2QSInbk entropy: 7.99451275548	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1.Qs2QSInbk entropy: 7.99932840589	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\index.Qs2QSInbk entropy: 7.99930479681	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.Qs2QSInbk entropy: 7.99922905492	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.Qs2QSInbk entropy: 7.99935997534	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\index.Qs2QSInbk entropy: 7.99918021754	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index.Qs2QSInbk entropy: 7.99934710748	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe.Qs2QSInbk entropy: 7.99498073237	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe.Qs2QSInbk entropy: 7.99591848937	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe.Qs2QSInbk entropy: 7.9950149436	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe.Qs2QSInbk entropy: 7.99501552841	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe.Qs2QSInbk entropy: 7.99534024681	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.Qs2QSInbk entropy: 7.99493620187	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe.Qs2QSInbk entropy: 7.99446232795	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe.Qs2QSInbk entropy: 7.99511705607	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe.Qs2QSInbk entropy: 7.99514762776	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.Qs2QSInbk entropy: 7.99519016039	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe.Qs2QSInbk entropy: 7.99499143038	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe.Qs2QSInbk entropy: 7.9940341658	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe.Qs2QSInbk entropy: 7.99506270097	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe.Qs2QSInbk entropy: 7.99510610784	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe.Qs2QSInbk entropy: 7.99565767391	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe.Qs2QSInbk entropy: 7.99515709484	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc.Qs2QSInbk entropy: 7.99466824149	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe.Qs2QSInbk entropy: 7.99437631884	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe.Qs2QSInbk entropy: 7.99457822976	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe.Qs2QSInbk entropy: 7.99542619112	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe.Qs2QSInbk entropy: 7.99511801872	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.Qs2QSInbk entropy: 7.99494840912	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe.Qs2QSInbk entropy: 7.99498348186	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe.Qs2QSInbk entropy: 7.9952200111	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe.Qs2QSInbk entropy: 7.9949762494	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe.Qs2QSInbk entropy: 7.99508378897	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe.Qs2QSInbk entropy: 7.99545669501	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Adobe_Acrobat DC_Acrobat_Acrobat_exe.Qs2QSInbk entropy: 7.99510217529	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe.Qs2QSInbk entropy: 7.99487876848	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm.Qs2QSInbk entropy: 7.99445087594	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.Qs2QSInbk entropy: 7.99446717133	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.Qs2QSInbk entropy: 7.99474669197	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc.Qs2QSInbk entropy: 7.99483833445	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe.Qs2QSInbk entropy: 7.99582756315	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre-1_8_bin_javacpl_exe.Qs2QSInbk entropy: 7.99515604123	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe.Qs2QSInbk entropy: 7.99535567429	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras.Qs2QSInbk entropy: 7.99520448852	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples.Qs2QSInbk entropy: 7.99514915323	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm.Qs2QSInbk entropy: 7.99542213298	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm.Qs2QSInbk entropy: 7.99580155571	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe.Qs2QSInbk entropy: 7.99536168536	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe.Qs2QSInbk entropy: 7.99537567266	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt v3 Website_url.Qs2QSInbk entropy: 7.99421550914	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe.Qs2QSInbk entropy: 7.99475701834	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs.Qs2QSInbk entropy: 7.99961877689	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs.Qs2QSInbk entropy: 7.99962880522	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log.Qs2QSInbk entropy: 7.99961966706	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe.Qs2QSInbk entropy: 7.99538151287	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.Qs2QSInbk entropy: 7.99479879284	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe.Qs2QSInbk entropy: 7.99494738957	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log.Qs2QSInbk entropy: 7.9996092098	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm.Qs2QSInbk entropy: 7.99435221768	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.Qs2QSInbk entropy: 7.99719876836	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.Qs2QSInbk entropy: 7.99441359102	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.Qs2QSInbk entropy: 7.99217197286	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.Qs2QSInbk entropy: 7.9981726133	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\Document.doc.scr.exe entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\AAAAAAAAAAAAAAAAAAAA (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\BBBBBBBBBBBBBBBBBBBB (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\CCCCCCCCCCCCCCCCCCCC (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\DDDDDDDDDDDDDDDDDDDD (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\EEEEEEEEEEEEEEEEEEEE (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\FFFFFFFFFFFFFFFFFFFF (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\GGGGGGGGGGGGGGGGGGGG (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\HHHHHHHHHHHHHHHHHHHH (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\IIIIIIIIIIIIIIIIIIII (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\JJJJJJJJJJJJJJJJJJJJ (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\KKKKKKKKKKKKKKKKKKKK (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\LLLLLLLLLLLLLLLLLLLL (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\MMMMMMMMMMMMMMMMMMMM (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\NNNNNNNNNNNNNNNNNNNN (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\OOOOOOOOOOOOOOOOOOOO (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\PPPPPPPPPPPPPPPPPPPP (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\QQQQQQQQQQQQQQQQQQQQ (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\RRRRRRRRRRRRRRRRRRRR (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\SSSSSSSSSSSSSSSSSSSS (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\TTTTTTTTTTTTTTTTTTTT (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\UUUUUUUUUUUUUUUUUUUU (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\VVVVVVVVVVVVVVVVVVVV (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\WWWWWWWWWWWWWWWWWWWW (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\XXXXXXXXXXXXXXXXXXXX (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\YYYYYYYYYYYYYYYYYYYY (copy) entropy: 7.99742508059	Jump to dropped file
Source: C:\ProgramData\2172.tmp	File created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZZZZZZZ (copy) entropy: 7.99742508059	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: Document.doc.scr.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.2.Document.doc.scr.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.0.Document.doc.scr.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document.doc.scr.exe

Sample has a suspicious name (potential lure to open the executable)

Source: Document.doc.scr.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00936C98 NtQueryInformationToken,	0_2_00936C98
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00939880 NtClose,	0_2_00939880
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009404B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,	0_2_009404B4
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00947034 CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,CreateThread,	0_2_00947034
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093B444 NtSetInformationThread,	0_2_0093B444
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093B470 NtProtectVirtualMemory,	0_2_0093B470
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093DC60 NtTerminateProcess,	0_2_0093DC60
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093E1E8 CreateThread,NtClose,	0_2_0093E1E8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00937E58 NtQuerySystemInformation,Sleep,	0_2_00937E58
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093B674 NtQueryInformationToken,	0_2_0093B674
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093DE78 SetThreadPriority,ReadFile,WriteFile,WriteFile,NtClose,	0_2_0093DE78
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00936668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,	0_2_00936668
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009397D8 NtQuerySystemInformation,	0_2_009397D8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093B3C0 NtSetInformationThread,NtClose,	0_2_0093B3C0
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093C3F8 CreateFileW,WriteFile,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,SHChangeNotify,NtClose,	0_2_0093C3F8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093B734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	0_2_0093B734
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00938F68 RtlAdjustPrivilege,NtSetInformationThread,	0_2_00938F68
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00939811 NtQuerySystemInformation,	0_2_00939811
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093982A NtQuerySystemInformation,	0_2_0093982A
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00937E8A NtQuerySystemInformation,Sleep,	0_2_00937E8A
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00937EA3 NtQuerySystemInformation,Sleep,	0_2_00937EA3
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00938F66 RtlAdjustPrivilege,NtSetInformationThread,	0_2_00938F66
Source: C:\ProgramData\2172.tmp	Code function: 8_2_00402760 CreateFileW,ReadFile,NtClose,	8_2_00402760
Source: C:\ProgramData\2172.tmp	Code function: 8_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	8_2_0040286C
Source: C:\ProgramData\2172.tmp	Code function: 8_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,	8_2_00402F18
Source: C:\ProgramData\2172.tmp	Code function: 8_2_00401DC2 NtProtectVirtualMemory,	8_2_00401DC2
Source: C:\ProgramData\2172.tmp	Code function: 8_2_00401D94 NtSetInformationThread,	8_2_00401D94
Source: C:\ProgramData\2172.tmp	Code function: 8_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	8_2_004016B4

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_0093A68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,

0_2_0093A68C

Source: C:\Windows\splwow64.exe

File created: C:\Windows\system32\spool\PRINTERS\00002.SPL

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009380B8	0_2_009380B8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009320AC	0_2_009320AC
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00934D03	0_2_00934D03
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00934D08	0_2_00934D08
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00935218	0_2_00935218

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Process token adjusted: Security

Source: Document.doc.scr.exe, 00000000.00000003.2260960774.0000000001045000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs Document.doc.scr.exe
Source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001045000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs Document.doc.scr.exe
Source: Document.doc.scr.exe, 00000000.00000003.2369872444.0000000001045000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs Document.doc.scr.exe
Source: Document.doc.scr.exe, 00000000.00000003.2276164348.0000000001045000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs Document.doc.scr.exe

Source: Document.doc.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Document.doc.scr.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.2.Document.doc.scr.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.0.Document.doc.scr.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18

Source: classification engine

Classification label: mal100.rans.phis.spyw.evad.winEXE@9/1690@0/0

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File created: C:\Users\Qs2QSInbk.README.txt

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\059e209281ada150c0df4a044869e46c
Source: C:\ProgramData\2172.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5604:120:WilError_03

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Qs2QSInbk.README.txt

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document.doc.scr.exe

Virustotal: Detection: 77%

Source: unknown	Process created: C:\Users\user\Desktop\Document.doc.scr.exe "C:\Users\user\Desktop\Document.doc.scr.exe"
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{EA82EC72-B970-44A4-8C1B-42CD300B85FB}.xps" 133584884697420000
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\ProgramData\2172.tmp "C:\ProgramData\2172.tmp"
Source: C:\ProgramData\2172.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\ProgramData\2172.tmp "C:\ProgramData\2172.tmp"	Jump to behavior
Source: C:\ProgramData\2172.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: adsldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\2172.tmp	Section loaded: apphelp.dll
Source: C:\ProgramData\2172.tmp	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\2172.tmp	Section loaded: ncrypt.dll
Source: C:\ProgramData\2172.tmp	Section loaded: ntasn1.dll
Source: C:\ProgramData\2172.tmp	Section loaded: windows.storage.dll
Source: C:\ProgramData\2172.tmp	Section loaded: wldp.dll
Source: C:\ProgramData\2172.tmp	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\2172.tmp	Section loaded: uxtheme.dll
Source: C:\ProgramData\2172.tmp	Section loaded: propsys.dll
Source: C:\ProgramData\2172.tmp	Section loaded: profapi.dll
Source: C:\ProgramData\2172.tmp	Section loaded: edputil.dll
Source: C:\ProgramData\2172.tmp	Section loaded: urlmon.dll
Source: C:\ProgramData\2172.tmp	Section loaded: iertutil.dll
Source: C:\ProgramData\2172.tmp	Section loaded: srvcli.dll
Source: C:\ProgramData\2172.tmp	Section loaded: netutils.dll
Source: C:\ProgramData\2172.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\2172.tmp	Section loaded: sspicli.dll
Source: C:\ProgramData\2172.tmp	Section loaded: wintypes.dll
Source: C:\ProgramData\2172.tmp	Section loaded: appresolver.dll
Source: C:\ProgramData\2172.tmp	Section loaded: bcp47langs.dll
Source: C:\ProgramData\2172.tmp	Section loaded: slc.dll
Source: C:\ProgramData\2172.tmp	Section loaded: userenv.dll
Source: C:\ProgramData\2172.tmp	Section loaded: sppc.dll
Source: C:\ProgramData\2172.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\2172.tmp	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: Document.doc.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Document.doc.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\*6 source: Document.doc.scr.exe, 00000000.00000003.2057742422.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2062343931.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2059377065.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058777627.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058937804.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr.exe, 00000000.00000003.2258783246.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2276164348.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2255923512.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2107881841.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2261471485.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2076076908.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2111760133.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103731468.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2105203218.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2106190276.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2092103152.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2116474466.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2119600876.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103049713.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090960096.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090386296.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2369872444.0000000001055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\*WI source: Document.doc.scr.exe, 00000000.00000003.2076076908.0000000001055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Document.doc.scr.exe, 00000000.00000003.2057742422.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2062343931.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2059377065.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2073299919.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058777627.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2075467271.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2075677088.000000000107D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058937804.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: Document.doc.scr.exe, 00000000.00000003.2053393457.0000000001067000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.Qs2QSInbk source: Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbSt source: Document.doc.scr.exe, 00000000.00000003.2258783246.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2276164348.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2255923512.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2107881841.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2261471485.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2076076908.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2111760133.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103731468.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2105203218.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2106190276.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2092103152.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2116474466.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2119600876.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103049713.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090960096.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2090386296.0000000001055000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2369872444.0000000001055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.Qs2QSInbk source: Document.doc.scr.exe, 00000000.00000003.2066471035.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2068848310.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2053996337.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2069805491.0000000001076000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Qs2QSInbk.README.txtu source: Document.doc.scr.exe, 00000000.00000003.2053275478.000000000107E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ownload.errort source: Document.doc.scr.exe, 00000000.00000003.2053996337.0000000001076000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Document.doc.scr.exe, 00000000.00000003.2057742422.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2062343931.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2059377065.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058777627.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2057151278.000000000107E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2058937804.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056689891.000000000107B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.Qs2QSInbk> source: Document.doc.scr.exe, 00000000.00000003.2053338835.0000000001117000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.Qs2QSInbk~ source: Document.doc.scr.exe, 00000000.00000003.2053338835.0000000001117000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2068688836.0000000001137000.00000004.00000020.00020000.00000000.sdmp

Source: Document.doc.scr.exe

Static PE information: real checksum: 0x2554d should be: 0x3ad8b

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009335D3 push 0000006Ah; retf	0_2_00933644
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009335D5 push 0000006Ah; retf	0_2_00933644
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009361EE push esp; retf	0_2_009361F6
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093356B push 0000006Ah; retf	0_2_00933644

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Videos\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Searches\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Saved Games\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Recent\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Saved Pictures\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Camera Roll\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\OneDrive\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Music\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Links\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\Links\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Downloads\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ZGGKNSUKOP\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\UNKRLCVOHV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\QFAPOWPAFG\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\NYMMPCEIMA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\NVWZAPQSQL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\LHEPQPGEWF\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\JDDHMPCDUJ\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\HMPPSXQPQV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\GRXZDKKVDB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\EOWRVPQCCS\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\EFOYFBOLXA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\BJZFPPWAPT\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ZGGKNSUKOP\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\UNKRLCVOHV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\QFAPOWPAFG\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\NYMMPCEIMA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\NVWZAPQSQL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\LHEPQPGEWF\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\JDDHMPCDUJ\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\HMPPSXQPQV\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\GRXZDKKVDB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\EOWRVPQCCS\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\EFOYFBOLXA\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\BJZFPPWAPT\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Contacts\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\dd432c4a-ba38-4070-9985-ed1b3bea85dc\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\VirtualStore\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_761252224\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_5172_1791500899\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_url_fetcher_2640_817343797\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Low\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_995017740\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_778675694\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_736602331\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_649288342\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_339006160\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_27162369\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1988346647\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1959985254\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1807723660\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1693012001\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1635976352\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1619438387\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1485273224\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1421574262\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1318414972\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1289371347\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1234978473\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1191663050\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\edge_BITS_6440_1090636871\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PeerDistRepub\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{99fff775-938d-4e2c-9c06-5d56107a5383}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2737c7bb-35fb-4b44-baf9-033ca587595d}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e763a36-90d3-4d6c-9949-dd01f7e5d23f}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ea91a05a-d98f-4429-81a9-272df0335447}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{de0f148a-c476-467a-b7a3-14b0bb463140}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c23bcd39-6fcf-4e41-add1-0231129b23be}\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\Qs2QSInbk.README.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\ProgramData\2172.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL
Source: C:\ProgramData\2172.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: doc.scr

Static PE information: Document.doc.scr.exe

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_009391C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,

0_2_009391C8

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\2172.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009310BC		0_2_009310BC
Source: C:\ProgramData\2172.tmp	Code function: 8_2_00401E28		8_2_00401E28

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_009310BC rdtsc

0_2_009310BC

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093A094 FindFirstFileExW,FindClose,	0_2_0093A094
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_009374BC FindFirstFileExW,FindNextFileW,	0_2_009374BC
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00935C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,	0_2_00935C24
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00937590 FindFirstFileExW,FindClose,	0_2_00937590
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,	0_2_0093766C
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_0093F308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,	0_2_0093F308
Source: C:\ProgramData\2172.tmp	Code function: 8_2_0040227C FindFirstFileExW,	8_2_0040227C
Source: C:\ProgramData\2172.tmp	Code function: 8_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,	8_2_0040152C

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_0093A470 GetLogicalDriveStringsW,

0_2_0093A470

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior

Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 15 player\|vmplayer6438
Source: Document.doc.scr.exe, 00000000.00000003.2127207462.00000000010B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|turn windows features on or off\|hyper-v:wux:hyper-v4937
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vm ware8394
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vspe6388
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vdi3894
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|\|qemu10642
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|view5503
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 12 player\|vmpl5459
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|\|vmware6886
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vcenter5038
Source: Document.doc.scr.exe, 00000000.00000003.2126886793.00000000010E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vmare7220
Source: Document.doc.scr.exe, 00000000.00000003.2304586597.000000000106B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\2172.tmp	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_009310BC rdtsc

0_2_009310BC

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00935A20 LdrLoadDll,

0_2_00935A20

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Memory written: C:\ProgramData\2172.tmp base: 401000

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\ProgramData\2172.tmp "C:\ProgramData\2172.tmp"			Jump to behavior
Source: C:\ProgramData\2172.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_009310BC cpuid

0_2_009310BC

Source: C:\ProgramData\2172.tmp

Code function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,

8_2_00403983

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_009404B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,

0_2_009404B4

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\Qs2QSInbk.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\Qs2QSInbk.README.txt	Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\search.json.mozlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\containers.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835635.a669692a-f9c9-42c0-a803-7b87d3ff5834.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\b8f053a5-de16-4a2c-8120-1ab4aadd63e8	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\background-update.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\.metadata-v2.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835635.a669692a-f9c9-42c0-a803-7b87d3ff5834.new-profile.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.01c0ecdb-8e59-4210-95f1-0fd0406e84ad.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840708.3c7034d6-bc52-43bb-9a23-5da34ee205e0.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840748.a8c1f564-c2e2-4ef8-a85f-52a56488f193.main.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\previous.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\handlers.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835643.9a3c31ca-35e4-421e-91e1-5f7b9bd27492.event.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\3c7034d6-bc52-43bb-9a23-5da34ee205e0	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.01c0ecdb-8e59-4210-95f1-0fd0406e84ad.event.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835647.a83301c6-790b-49f3-adc7-55a855f7fe79.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\SiteSecurityServiceState.txt.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\session-state.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\times.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\a83301c6-790b-49f3-adc7-55a855f7fe79	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\43bb9a55-74a2-452e-8233-6899a7f737b0.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\AlternateServices.txt.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\xulstore.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.86be03dd-6b03-42f5-89cd-4606f43d25ad.health.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\events.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\ae04dde8-69a1-49f8-95f1-d533ed587ff6.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\7755ad51-2370-4623-9d21-15c89f2143db.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\times.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\43bb9a55-74a2-452e-8233-6899a7f737b0	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extension-preferences.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\state.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835649.b06d08be-79e8-4bfe-b6aa-988ea3d35cbd.first-shutdown.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\shield-preference-experiments.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840748.a8c1f564-c2e2-4ef8-a85f-52a56488f193.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\7755ad51-2370-4623-9d21-15c89f2143db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426835643.9a3c31ca-35e4-421e-91e1-5f7b9bd27492.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840727.86be03dd-6b03-42f5-89cd-4606f43d25ad.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\ae04dde8-69a1-49f8-95f1-d533ed587ff6	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\b8f053a5-de16-4a2c-8120-1ab4aadd63e8.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\1696426840708.3c7034d6-bc52-43bb-9a23-5da34ee205e0.health.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore.jsonlz4.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.Qs2QSInbk	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\3c7034d6-bc52-43bb-9a23-5da34ee205e0.Qs2QSInbk	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	112 Process Injection	111 Masquerading	1 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Proxy	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	112 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Indicator Removal	LSA Secrets	122 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document.doc.scr.exe	77%	Virustotal		Browse
Document.doc.scr.exe	100%	Avira	BDS/ZeroAccess.Gen7
Document.doc.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://www.ebay.co.uk/	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionk	0%	Avira URL Cloud	safe
https://tox.chat/	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.oniong	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionic	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	100%	Avira URL Cloud	malware
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionic	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onional	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl2	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	13%	Virustotal		Browse
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionin	0%	Avira URL Cloud	safe
http://lockbitapt.uz	100%	Avira URL Cloud	malware
http://lockbitsupp.uz	100%	Avira URL Cloud	malware
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion0	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionc~	0%	Avira URL Cloud	safe
https://tox.chat/	0%	Virustotal		Browse
https://tox.::	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionedA	0%	Avira URL Cloud	safe
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	100%	Avira URL Cloud	malware
http://lockbitapt.uz	12%	Virustotal		Browse
https://tox.:	0%	Avira URL Cloud	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	100%	Avira URL Cloud	malware
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl	0%	Avira URL Cloud	safe
http://lockbitsupp.uz	9%	Virustotal		Browse
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	9%	Virustotal		Browse
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	9%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.ebay.co.uk/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tox.chat/	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2056293087.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2061132357.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2065780379.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2111760133.0000000001049000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103731468.0000000001047000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2109489328.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2258114624.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2106881738.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2261471485.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2257598840.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2260455472.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2104352096.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2074831153.0000000001093000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2110837373.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2103049713.0000000001012000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2107881841.0000000001014000.00000004.00000020.00020000.00000000.sdmp, Qs2QSInbk.README.txt361.0.dr, Qs2QSInbk.README.txt180.0.dr, Qs2QSInbk.README.txt445.0.dr, Qs2QSInbk.README.txt409.0.dr	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://login.windows.net	App1714014880372801600_29CC7398-2A01-4DC6-A22E-768619CAA88A.log.7.dr	false		high
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionic	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionk	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.oniong	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.amazon.com/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionic	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onional	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl2	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://twitter.com/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionin	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionin	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitapt.uz	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000001045000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lockbitsupp.uz	Document.doc.scr.exe, 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion0	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionc~	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
https://bugzilla.mo	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tox.::	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionedA	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	Document.doc.scr.exe, 00000000.00000003.2027366204.000000000110D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/complete/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	Document.doc.scr.exe, 00000000.00000003.2027366204.0000000001105000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2027366204.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tox.:	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202	Document.doc.scr.exe, 00000000.00000003.2244020288.0000000001163000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl	Document.doc.scr.exe, 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.baidu.com/	Document.doc.scr.exe, 00000000.00000003.2031230612.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431429
Start date and time:	2024-04-25 05:13:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document.doc.scr.exe
Detection:	MAL
Classification:	mal100.rans.phis.spyw.evad.winEXE@9/1690@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, printfilterpipelinesvc.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.20.38, 52.113.194.132, 52.109.8.36, 52.182.143.214
Excluded domains from analysis (whitelisted): ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, scus-azsc-config.officeapps.live.com, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, us1.roaming1.live.com.akadns.net, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, onedscolprdcus19.centralus.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:14:29	API Interceptor	90x Sleep call for process: splwow64.exe modified

Process:	C:\Users\user\Desktop\Document.doc.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	129
Entropy (8bit):	6.6215787088613025
Encrypted:	false
SSDEEP:	3:phSDZMXXXmVro1iBiMzKSCHWvg6oKpxjn:qDyXTnTSCHB30jn
MD5:	158516C11877B93342E380A45B6B6C3A
SHA1:	67A1D3B1D89D0A72FA31EA98419CC339892A882A
SHA-256:	9CD2407F08C8F612B49FDB2382B5D32267F1128ADDEA1DB30E3840B34C9258EA
SHA-512:	37278F7485D5D96935AAC7C9504C111081AEDD421E9AC14A6169EFDE364F0619A2B0CCA0391DA875BE4CDDA70844531CF44E23B22B3C4B5158F3233669CF50C5
Malicious:	false
Reputation:	low
Preview:	.2.$(@7-b.YOG.=.8.i..3.Ep.Go.U..z.......>...VKqu_.7......->...$.;V..V.{wk.x."........].3....<.d\|..c..h....dG%...m.5..?...p

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166208
Entropy (8bit):	5.340923751880194
Encrypted:	false
SSDEEP:	1536:y+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6Y:PIQ9DQA+zqzMXeMT
MD5:	DB67717FB9BF0939F549B99FE18D7864
SHA1:	470BA895CDE1B6AE8A32EA4708F420AEF63A5B64
SHA-256:	4CD95FFA0E6EE18AC7B2F81A5ADA7EB6B3CA616EE6A56C8C2E22FD8BC7052ACD
SHA-512:	7F78D3CCB92F88772C2DED4FDF19396C3A99D7BE74BC1F340BB43D6ED9BA058D1D63A26A23EB45155297913897717785A719A94FC5EF1BCEA884D67A5427CB3B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-25T03:14:41">.. Build: 16.0.17619.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

Process:	C:\ProgramData\2172.tmp
File Type:	data
Category:	dropped
Size (bytes):	199168
Entropy (8bit):	7.997425080589691
Encrypted:	true
SSDEEP:	6144:94HMVKnDH9FUpbQ4HMVKnDH9FUpbQ4HMVKnDH9FUpbQe:K7nDH3CR7nDH3CR7nDH3C7
MD5:	BF0B7C0C5BE63D81A6CCBAF49B17EE42
SHA1:	C05008520055438662313B92E5FF57A0C0163766
SHA-256:	6BEA0E0E32B28FE4F3DBF919500595DCBFB2FFE7CA789D7C74E01C09B3B7D43E
SHA-512:	83A786E932D6BC7AE4054EA70640D9DE1047B43410FFDAF0E5FFC5723C19CE33CFD7A64AF196F0E7AB72022F872DB822C09DE5357F9E4783A86032E4ABBD3A17
Malicious:	true
Preview:	pi....:...a..P.Oh..\.7...X@G..\G.-d.R.NuD.. WOLO..^>.......R.,I@E.#....\|l..e@.Yk.e..&,uQDm.!q.k..#.OGP4.Z.'A.t6t.C.9HI.....!....V.aR.].q..!..9..b.<.......x...c... ............RXOc-...S...$...c.....m...'+B.s.J}........" .+o....Z.1....1...Wn.f..2...LW...+..0...2....s.`.....7..H/.u!. .~C.n..!....0bK57b.N.....T.D.L......f.\|.V..=}.....U.4..7^Q,5.....9z....f....JuY ...n..jg..n..&.S....K.....J........r...qh...[.3.Ls.......C.....<T..v^@eC&{......E........p....h..'Vw...}..8K..w+.l...ZwJ/;B.5...Y..`%.{..an.V\|-#,C.e...bC.........{...&.M..8$.bv..u.]Fcv5..q..m.~.F..2..D.I.{_.U....e\|..!m..44D.<"...L.Cp\|"...47..r.0'...d..9...........9c..z...q........[w.>i..gQ.....GH....Q.\.,...}}Q....{.)....D.f.iv.e.U.\|..0Zk`.t....6 ...........(."....;.y......9...K(...b..q8.....v._..xcE+gsE.......N..l#Q.T5.D:."a.OK...)U..kgTDs.@.>..y`;..y7.)......^...1..9....."......>{..-.....1..w.>]6...e...X..W..m..tRq.....NBV.FF.H_....r...T..7_fp=.......hHT.s...f.G1...

Process:	C:\Windows\splwow64.exe
File Type:	Microsoft OOXML
Category:	dropped
Size (bytes):	13754347
Entropy (8bit):	7.892811076564575
Encrypted:	false
SSDEEP:	196608:0CL0Wjt0qV/W8OUZdzA43goa4p/iTdP7XV:L3NZ1xATpV
MD5:	75E8ECEDB5EBE973ADA5FEA32FE9211B
SHA1:	3099094DF186B0E281E1E9A99D6E1F91B5C3A668
SHA-256:	D9AD89D5654723AAF1E48A87B8282716FA0EA95A40BBE403205358DDF057B878
SHA-512:	DEAFEE9796316AA908E4C1AE3AE193A89FEC6E3261AC7C9EEFCCF936F896FCCD8C9612F8D62973C5B5326A189DD4ECAE5DE1E4749525633E795130092D2CD8BD
Malicious:	false
Preview:	PK..........X................[Content_Types].xml/[0].piece.....0..W..o.x .....e.(....Ql!..<...S^.MMw....#Nr.9....p..:..J.z..`3..DM....T.n..J..-c...3....&a#......PK....X.j...q...PK..........X................[Content_Types].xml/[1].piece..1..0....eE$....{e.C.&..X.........H\., .....o.T..i.."...K.s..4..VW...i+.Ak.....}....\.+..O?PK..K..jb...l...PK..........X................_rels/.rels/[0].pieceM.A..!.E.B.w...1.....9@...C!...?,].......f..4.qp.,.._^I...y?\`.....Cc.jF". .^...#g.T.A.e.c.........3.....PK...BpJl...y...PK..........X................_rels/.rels/[1].piece..K..0....9@&.....nk/.....O3S...s....L/'.UN...'.......P....UO:....=X......B..gD...c]...[..[..3..9.9a.... .....N.PK..4...u.......PK..........X................[Content_Types].xml/[2].piece-.A.. .F....p.u.q.&....!...m..[.n_^..kA.......>\|.......f....`........}..F..(v.6.t...0-.n.C\|@.N-.Z...PK....[Pm...{...PK..........X............%...FixedDocumentSequence.fdseq/[0].pieceU.M..0.F..fo&.....H.`..2.....H.o..p

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	4.186704345910024
Encrypted:	false
SSDEEP:	3:otlZ1ln:otll
MD5:	672C68F2CF2762D09DC2AA4419C3E093
SHA1:	CC931B9D0700C6685574F67C9774510742C7972D
SHA-256:	CCCC88ED5702555D57A3DAD0FAB295676DAA224E29DD4EB74C8CA10D2F258BAA
SHA-512:	AD85F23C830ABB9C7327B7878F419554B6BF132DEED86070E2FAA624160AEC359AB503DE8C05746F38E880391F51102EF769B56B732595799BCDC9C0C266A594
Malicious:	false
Preview:	C:\PROGRA~3\2172.tmp..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.768600181335579
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Document.doc.scr.exe
File size:	199'168 bytes
MD5:	50e5dec57451005668704281688ca55d
SHA1:	67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
SHA256:	062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
SHA512:	29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad
SSDEEP:	3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B
TLSH:	02145C20F245A8F3C42324F52A36E47173AA9F2D1D6C180FEAB53F4A68725D32B55D4B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..c............................o.............@..........................P......MU....@...........@....................

Entrypoint:	0x41946f
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x631A9665 [Fri Sep 9 01:27:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	41fb8cb2943df6de998b35a9d28668e8

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a230	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0xc160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34000	0xfd0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a120	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17de8	0x17e00	cfbda2c44e51b3b0b00bcbbc767c62a2	False	0.48375122709424084	data	6.634079266913224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x19000	0x546	0x600	6f4cd57381bb5584c0a0755384d25180	False	0.251953125	data	2.9337361310958805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x492	0x600	bd829aa493ecd52fe5bec776d207f206	False	0.3671875	data	3.5366359784052652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0xadc8	0xa000	aced96dbfa5389a74c5f3b4aa34bf0a5	False	0.9826416015625	SysEx File -	7.986665903168469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x26000	0x880	0xa00	fd55173b0926e9241343dc4ae298653b	False	0.875390625	data	7.32033544143519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27000	0xc160	0xc200	0498258b0cc68156e1295f5d17bb63e6	False	0.22473018685567012	data	4.478609900548174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34000	0xfd0	0x1000	3f87e4c23650dfad0bee7da98889ba94	False	0.843505859375	GLS_BINARY_LSB_FIRST	6.738987246879603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x271f0	0x176d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9296314824078706
RT_ICON	0x28960	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.0973665564478035
RT_ICON	0x2cb88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.13340248962655601
RT_ICON	0x2f130	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	0.16715976331360946
RT_ICON	0x30b98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.20309568480300189
RT_ICON	0x31c40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.2721311475409836
RT_ICON	0x325c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	0.34244186046511627
RT_ICON	0x32c80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.41932624113475175
RT_GROUP_ICON	0x330e8	0x76	data	0.7457627118644068

DLL	Import
gdi32.dll	SetPixel, SetDCBrushColor, SelectPalette, GetTextColor, GetDeviceCaps, CreateSolidBrush
USER32.dll	DefWindowProcW, CreateMenu, EndDialog, GetDlgItem, GetKeyNameTextW, GetMessageW, GetWindowTextW, IsDlgButtonChecked, LoadImageW, LoadMenuW, DialogBoxParamW
KERNEL32.dll	SetLastError, LoadLibraryW, GetTickCount, GetLastError, GetCommandLineW, GetCommandLineA, FreeLibrary

Target ID:	0
Start time:	05:13:52
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\Document.doc.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document.doc.scr.exe"
Imagebase:	0x930000
File size:	199'168 bytes
MD5 hash:	50E5DEC57451005668704281688CA55D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000002.2464445713.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2466936126.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.2457027491.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.2463997094.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000000.2003658828.0000000000931000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2465988864.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.2463644830.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.2457278883.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	05:14:38
Start date:	25/04/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	/insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{EA82EC72-B970-44A4-8C1B-42CD300B85FB}.xps" 133584884697420000
Imagebase:	0x210000
File size:	2'191'768 bytes
MD5 hash:	0061760D72416BCF5F2D9FA6564F0BEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	9
Start time:	05:14:39
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2172.tmp >> NUL
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1984
Total number of Limit Nodes:	12

Execution Coverage:	32.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	160
Total number of Limit Nodes:	1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document.doc.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\AAAAAAAAAAA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\BBBBBBBBBBB (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\CCCCCCCCCCC (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\DDDDDDDDDDD (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\EEEEEEEEEEE (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\FFFFFFFFFFF (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\GGGGGGGGGGG (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HHHHHHHHHHH (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\IIIIIIIIIII (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\JJJJJJJJJJJ (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\KKKKKKKKKKK (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\LLLLLLLLLLL (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\MMMMMMMMMMM (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\NNNNNNNNNNN (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\OOOOOOOOOOO (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\PPPPPPPPPPP (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\QQQQQQQQQQQ (copy)

Windows Analysis Report
Document.doc.scr.exe

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre