Windows Analysis Report
Document.doc.scr.exe

Overview

General Information

Sample name: Document.doc.scr.exe
Analysis ID: 1432010
MD5: 407ea767aa26ae13f9ff20d0999c8dda
SHA1: 07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256: f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
Tags: BlackMatterexescr
Infos:

Detection

LockBit ransomware, TrojanRansom
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected LockBit ransomware
Yara detected TrojanRansom
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Deletes itself after installation
Found Tor onion address
Found potential ransomware demand text
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Sample has a suspicious name (potential lure to open the executable)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes many files with high entropy
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Enables security privileges
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Document.doc.scr.exe Avira: detected
Antivirus detection for URL or domain
Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: Document.doc.scr.exe ReversingLabs: Detection: 86%
Source: Document.doc.scr.exe Virustotal: Detection: 86% Perma Link
Machine Learning detection for sample
Source: Document.doc.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Document.doc.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Videos\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Searches\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Saved Games\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Recent\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Pictures\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Pictures\Saved Pictures\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Pictures\Camera Roll\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\OneDrive\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Music\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Links\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Favorites\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Favorites\Links\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Downloads\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\ZQIXMVQGAH\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\ZBEDCJPBEY\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\XZXHAVGRAG\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\VAMYDFPUND\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\SFPUSAFIOL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\ONBQCLYSPU\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\KZWFNRXYKI\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\KATAXZVCPS\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\HTAGVDFUIE\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\DTBZGIOOSO\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\CURQNKVOIX\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\AIXACVYBSB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\ZQIXMVQGAH\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\ZBEDCJPBEY\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\XZXHAVGRAG\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\VAMYDFPUND\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\SFPUSAFIOL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\ONBQCLYSPU\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\KZWFNRXYKI\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\KATAXZVCPS\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\HTAGVDFUIE\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\DTBZGIOOSO\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\CURQNKVOIX\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\AIXACVYBSB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Contacts\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Skype\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Skype\RootTools\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\d1702bdf-c0c8-42c3-b6d9-e52fd0a57b16\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\VirtualStore\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Low\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrocef_low\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\SolidDocuments\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\PeerDistRepub\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: Document.doc.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\C7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2_0 source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\j source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVt source: Document.doc.scr.exe, 00000000.00000003.1705221595.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711836076.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718849776.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1717159713.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718983651.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1703476299.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1710511244.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712643035.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1686082464.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1713658697.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1715185404.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1695151935.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719812875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711697152.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1699369432.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1694880017.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712214810.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1720140260.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1693739427.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719287121.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714611951.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1701452290.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1702773878.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714096402.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1705906875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.d
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr.exe, 00000000.00000003.1939184092.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: Document.doc.scr.exe, 00000000.00000003.1679982073.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2p source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mi_exe_stub.pdb source: Document.doc.scr.exe, 00000000.00000003.1678909255.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1678737768.0000000001474000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBntkrnlmp.pdb.pdb source: Document.doc.scr.exe, 00000000.00000003.1680648061.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVte source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE74BC FindFirstFileExW,FindNextFileW, 0_2_00BE74BC
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEA094 FindFirstFileExW,FindClose, 0_2_00BEA094
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE5C24 FindFirstFileW,FindClose,FindNextFileW,FindClose, 0_2_00BE5C24
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE7590 FindFirstFileExW, 0_2_00BE7590
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE766C FindFirstFileExW,GetFileAttributesW,FindNextFileW, 0_2_00BE766C
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEF308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose, 0_2_00BEF308
Source: C:\ProgramData\D448.tmp Code function: 9_2_0040227C FindFirstFileExW, 9_2_0040227C
Source: C:\ProgramData\D448.tmp Code function: 9_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose, 9_2_0040152C
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEA470 GetLogicalDriveStringsW, 0_2_00BEA470
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\ Jump to behavior

Networking
barindex
Found Tor onion address
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionn
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionug
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionJK
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion]YK
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion]lK<<
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionsK/<
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionc
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion.Jr=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion=Jm=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion@J
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionlWJ
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion[
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: Document.doc.scr.exe, 00000000.00000003.1676814100.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt.uz
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion=Jm=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionsK/
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionug
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion.Jr=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionJK
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionc
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionlWJ
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionn
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://lockbitsupp.uz
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: Document.doc.scr.exe, 00000000.00000003.1646091627.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr String found in binary or memory: https://account.bellmedia.c
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.aadrm.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.aadrm.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.microsoftstream.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.office.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.onedrive.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://api.scheduler.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://augloop.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://augloop.office.com/v2
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cdn.entity.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://config.edge.skype.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cortana.ai/api
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://cr.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://d.docs.live.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dev.cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://devnull.onenote.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://directory.services.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ecs.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://edge.skype.com/rps
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/partitioning-exempt-urls/c
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Kinto/kinto-attachment/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://graph.windows.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://graph.windows.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ic3.teams.office.com
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://invites.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://lifecycle.office.com
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr String found in binary or memory: https://login.live.com
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr, 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://login.microsoftonline.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://login.windows.local
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://make.powerautomate.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://management.azure.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://management.azure.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.action.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://messaging.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ncus.contentsync.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://officeapps.live.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://officepyservice.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://onedrive.live.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office365.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office365.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://outlook.office365.com/connectors
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://powerlift.acompli.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://pushchannel.1drv.ms
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-settings.readthedocs.io
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://res.cdn.office.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://settings.outlook.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://staging.cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://substrate.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://tasks.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://templatesmetadata.office.net/
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1734557416.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1907344650.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1661602059.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1908988654.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1910185384.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1650969084.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1648303268.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1912815534.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1675301956.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1670292404.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1933272646.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1674503550.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1738608679.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1650588282.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1939184092.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1739871345.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1939350231.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1725687875.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1727469488.000000000140E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tox.chat/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://webshell.suite.office.com
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://wus2.contentsync.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Document.doc.scr.exe, 00000000.00000003.1873556931.000000000153D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/css/privacy_protocol.04de168de977.css
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr String found in binary or memory: https://www.msn.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr String found in binary or memory: https://www.yammer.com
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/

Spam, unwanted Advertisements and Ransom Demands
barindex
Found ransom note / readme
Source: C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Dropped file: !! ALL YOUR FILES ARE ENCRYPTED !!!You can't restore them without our decryptor.Don't try to use any public tools, you could damage the files and lose them forever.To make sure our decryptor works, contact us and decrypt one file for free.Download TOX messenger: https://tox.chat/Add friend in TOX, ID: 36F186C6FDCAAC0CF122E234B5D15F3F42F73568745F251C1306D71EBCA96817770F9B9AC2E6 Jump to dropped file
Yara detected LockBit ransomware
Source: Yara match File source: Document.doc.scr.exe, type: SAMPLE
Source: Yara match File source: 0.0.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Document.doc.scr.exe PID: 5320, type: MEMORYSTR
Yara detected TrojanRansom
Source: Yara match File source: Process Memory Space: Document.doc.scr.exe PID: 5320, type: MEMORYSTR
Changes the wallpaper picture
Source: C:\Users\user\Desktop\Document.doc.scr.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\jC7CNxlVt.bmp Jump to behavior
Found potential ransomware demand text
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : All your important files are stolen and encrypted!
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted,7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted:7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted07
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedR7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedh7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted>6
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encrypted46
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedB6
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedX6
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory : Your data are stolen and encryptedV6
Modifies existing user documents (likely ransomware behavior)
Source: C:\Users\user\Desktop\Document.doc.scr.exe File moved: C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File moved: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File moved: C:\Users\user\Desktop\BPMLNOBVSB.mp3 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File moved: C:\Users\user\Desktop\AIXACVYBSB\AIXACVYBSB.docx Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File moved: C:\Users\user\Desktop\VLZDGUKUTZ.png Jump to behavior
Writes many files with high entropy
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\Settings.ft.jC7CNxlVt entropy: 7.99924167215 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt.jC7CNxlVt entropy: 7.99916926048 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\Settings.ft.jC7CNxlVt entropy: 7.99913941687 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt.jC7CNxlVt entropy: 7.99587528156 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\Apps.ft.jC7CNxlVt entropy: 7.99571821978 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt.jC7CNxlVt entropy: 7.99946553555 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt.jC7CNxlVt entropy: 7.99926475323 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\0.0.filtertrie.intermediate.txt.jC7CNxlVt entropy: 7.99519418233 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome.jC7CNxlVt entropy: 7.99550186667 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB.jC7CNxlVt entropy: 7.99437178053 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt.jC7CNxlVt entropy: 7.99751125068 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.ft.jC7CNxlVt entropy: 7.99630167281 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\0.0.filtertrie.intermediate.txt.jC7CNxlVt entropy: 7.99520562394 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wct38F0.tmp.jC7CNxlVt entropy: 7.99775158339 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt.jC7CNxlVt entropy: 7.99802208777 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wct443C.tmp.jC7CNxlVt entropy: 7.99684378584 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.jC7CNxlVt entropy: 7.99764639052 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wctE4A4.tmp.jC7CNxlVt entropy: 7.99777847377 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wctDB2E.tmp.jC7CNxlVt entropy: 7.99717599045 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wctEA40.tmp.jC7CNxlVt entropy: 7.99728743364 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wct49A7.tmp.jC7CNxlVt entropy: 7.9970471531 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\wctF411.tmp.jC7CNxlVt entropy: 7.9972650729 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{16988324-21C9-05B2-CA60-9B4EC72739D8}.jC7CNxlVt entropy: 7.99474390029 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help.jC7CNxlVt entropy: 7.99513294948 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_.jC7CNxlVt entropy: 7.99487891406 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_mpnpojknpmnjdcgaaiekajbnjb.jC7CNxlVt entropy: 7.99505067124 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_kefjledonknomlcbpllchaibag.jC7CNxlVt entropy: 7.99525109467 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_fmgjjmmmlfcabfkddbjimcfncm.jC7CNxlVt entropy: 7.99513540808 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_fhihpiojkboajapmgkhlnakfjf.jC7CNxlVt entropy: 7.99457877648 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_agimnkijcamfeangaknmldooml.jC7CNxlVt entropy: 7.99454862868 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_aghbiahbpaeidepookljebhfak.jC7CNxlVt entropy: 7.99512466125 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB;PrivateBrowsingAUMID.jC7CNxlVt entropy: 7.99508738469 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E8B84CFB-B069-BC13-F88F-170904F645E5}.jC7CNxlVt entropy: 7.99537949105 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E7A33582-E908-3379-5368-5999454DCD83}.jC7CNxlVt entropy: 7.99521302446 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}.jC7CNxlVt entropy: 7.99600003865 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}.jC7CNxlVt entropy: 7.99438343854 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}.jC7CNxlVt entropy: 7.99469315973 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}.jC7CNxlVt entropy: 7.99536227861 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}.jC7CNxlVt entropy: 7.99484256107 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}.jC7CNxlVt entropy: 7.99434698097 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}.jC7CNxlVt entropy: 7.99534877449 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}.jC7CNxlVt entropy: 7.99548532046 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{116229A7-9A3B-2078-DB5F-B5A20811242C}.jC7CNxlVt entropy: 7.99548160641 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.jC7CNxlVt entropy: 7.99126919535 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.jC7CNxlVt entropy: 7.99899371601 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default.jC7CNxlVt entropy: 7.99471348972 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.jC7CNxlVt entropy: 7.99920552342 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{F1118828-A0CC-5FEB-85C9-DBFFDF98434A}.jC7CNxlVt entropy: 7.99491869986 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.jC7CNxlVt entropy: 7.99908159873 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.jC7CNxlVt entropy: 7.99879038893 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OUTLOOK_EXE_15.jC7CNxlVt entropy: 7.99484994689 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_ONENOTE_EXE_15.jC7CNxlVt entropy: 7.99484289482 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OcPubMgr_exe_15.jC7CNxlVt entropy: 7.99540865791 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSPUB_EXE_15.jC7CNxlVt entropy: 7.99473186797 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSOUC_EXE_15.jC7CNxlVt entropy: 7.9952028162 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msoev_exe_15.jC7CNxlVt entropy: 7.99475206329 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSACCESS_EXE_15.jC7CNxlVt entropy: 7.99528224786 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log.jC7CNxlVt entropy: 7.99887297564 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.jC7CNxlVt entropy: 7.99334162009 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_lync_exe_15.jC7CNxlVt entropy: 7.9948391078 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.jC7CNxlVt entropy: 7.99077474112 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_EXCEL_EXE_15.jC7CNxlVt entropy: 7.99561898898 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15.jC7CNxlVt entropy: 7.99584091099 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SPREADSHEETCOMPARE_EXE_15.jC7CNxlVt entropy: 7.99467960759 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99552035638 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99514409216 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop.jC7CNxlVt entropy: 7.99462038558 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15.jC7CNxlVt entropy: 7.99540283131 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.jC7CNxlVt entropy: 7.99529054179 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_POWERPNT_EXE_15.jC7CNxlVt entropy: 7.99515790008 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32.jC7CNxlVt entropy: 7.99533840617 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer.jC7CNxlVt entropy: 7.99452677495 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel.jC7CNxlVt entropy: 7.99511357476 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer.jC7CNxlVt entropy: 7.99548553849 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools.jC7CNxlVt entropy: 7.99497582878 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsStore_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99474576978 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99555784153 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite.jC7CNxlVt entropy: 7.99938991158 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite.jC7CNxlVt entropy: 7.99812928036 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm.jC7CNxlVt entropy: 7.99457825389 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.jC7CNxlVt entropy: 7.9950710788 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm.jC7CNxlVt entropy: 7.9941473817 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db.jC7CNxlVt entropy: 7.99935317412 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite.jC7CNxlVt entropy: 7.99824885033 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite.jC7CNxlVt entropy: 7.9971172896 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm.jC7CNxlVt entropy: 7.99402696041 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite.jC7CNxlVt entropy: 7.99826307285 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm.jC7CNxlVt entropy: 7.99501442195 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite.jC7CNxlVt entropy: 7.99865317803 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.jC7CNxlVt entropy: 7.99606416884 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.jC7CNxlVt entropy: 7.99385745121 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.jC7CNxlVt entropy: 7.99632610207 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.jC7CNxlVt entropy: 7.9953891329 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.jC7CNxlVt entropy: 7.99586231709 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.jC7CNxlVt entropy: 7.99429265165 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.jC7CNxlVt entropy: 7.99678680247 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.jC7CNxlVt entropy: 7.99449233071 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jC7CNxlVt entropy: 7.99621407383 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598\13723.jC7CNxlVt entropy: 7.9958708614 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.jC7CNxlVt entropy: 7.99491861153 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.jC7CNxlVt entropy: 7.99483146011 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\2275F9569F28969C8FC69F9660A75ADD1F8B963B.jC7CNxlVt entropy: 7.99180646076 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\2B8DB5289EFF0A466C21F47412A322A36CEB5044.jC7CNxlVt entropy: 7.99840172983 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\289DBE90018D682BDBFD59A3CAACE9EE538234FD.jC7CNxlVt entropy: 7.99184137632 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\252CE8AC445A184A1F4A1C6C6D4ADB8AE41B7776.jC7CNxlVt entropy: 7.99759560548 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\22F59957B7E08CD6CCFED6AF2A1DF26FE157DF40.jC7CNxlVt entropy: 7.99838363669 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084.jC7CNxlVt entropy: 7.99759497552 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\3C9B2D192D535C347CDA9FB12BFC88FD40CF0382.jC7CNxlVt entropy: 7.99817444782 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\62FC1E8DCE1991EEB55DE9EFADF47EA578A22AB5.jC7CNxlVt entropy: 7.99289299885 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\44230749A38B6989F56217B435A03E84CCADE62D.jC7CNxlVt entropy: 7.99315241269 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\BDE5E55BCB4604200C70FB908FA76903C94590D3.jC7CNxlVt entropy: 7.99843877927 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4.jC7CNxlVt entropy: 7.99120527429 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F.jC7CNxlVt entropy: 7.99529010681 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\E707EC8A256322E87908664A49F800B7B48E0961.jC7CNxlVt entropy: 7.99155975092 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.jC7CNxlVt entropy: 7.99609399172 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\11719.jC7CNxlVt entropy: 7.99419171554 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.jC7CNxlVt entropy: 7.99745047365 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1.jC7CNxlVt entropy: 7.99939529516 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\index.jC7CNxlVt entropy: 7.99923561046 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog.jC7CNxlVt entropy: 7.99420693218 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop.jC7CNxlVt entropy: 7.99507827028 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99392350591 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MSEdge.jC7CNxlVt entropy: 7.99475420587 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe.jC7CNxlVt entropy: 7.99552259954 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe.jC7CNxlVt entropy: 7.99533285165 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.jC7CNxlVt entropy: 7.99433212335 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe.jC7CNxlVt entropy: 7.99499141084 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe.jC7CNxlVt entropy: 7.99418100373 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe.jC7CNxlVt entropy: 7.9948073713 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.jC7CNxlVt entropy: 7.99483550575 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe.jC7CNxlVt entropy: 7.99459935545 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe.jC7CNxlVt entropy: 7.99497350251 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe.jC7CNxlVt entropy: 7.99502461523 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe.jC7CNxlVt entropy: 7.99470960011 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe.jC7CNxlVt entropy: 7.99445822545 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe.jC7CNxlVt entropy: 7.99422636889 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.jC7CNxlVt entropy: 7.99464075542 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe.jC7CNxlVt entropy: 7.99532342466 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe.jC7CNxlVt entropy: 7.99455855967 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe.jC7CNxlVt entropy: 7.99525636834 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc.jC7CNxlVt entropy: 7.99548440016 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe.jC7CNxlVt entropy: 7.99483249281 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe.jC7CNxlVt entropy: 7.99560932007 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe.jC7CNxlVt entropy: 7.99535850542 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe.jC7CNxlVt entropy: 7.9950320775 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe.jC7CNxlVt entropy: 7.99540839943 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe.jC7CNxlVt entropy: 7.99537669522 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe.jC7CNxlVt entropy: 7.99530277436 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe.jC7CNxlVt entropy: 7.99547471331 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe.jC7CNxlVt entropy: 7.99485412095 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Adobe_Acrobat DC_Acrobat_Acrobat_exe.jC7CNxlVt entropy: 7.99475500883 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe.jC7CNxlVt entropy: 7.99496082952 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm.jC7CNxlVt entropy: 7.99429785307 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.jC7CNxlVt entropy: 7.99571809697 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.jC7CNxlVt entropy: 7.99552924913 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc.jC7CNxlVt entropy: 7.99498046183 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe.jC7CNxlVt entropy: 7.99545516285 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre-1_8_bin_javacpl_exe.jC7CNxlVt entropy: 7.99497295912 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe.jC7CNxlVt entropy: 7.99534775154 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras.jC7CNxlVt entropy: 7.99479086452 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples.jC7CNxlVt entropy: 7.99522017998 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm.jC7CNxlVt entropy: 7.99567538687 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm.jC7CNxlVt entropy: 7.9952840207 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe.jC7CNxlVt entropy: 7.99517945582 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe.jC7CNxlVt entropy: 7.99524115439 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt v3 Website_url.jC7CNxlVt entropy: 7.9953316903 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe.jC7CNxlVt entropy: 7.99532659724 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb00001.log.jC7CNxlVt entropy: 7.99957823513 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs.jC7CNxlVt entropy: 7.99970728937 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log.jC7CNxlVt entropy: 7.99962404246 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.jC7CNxlVt entropy: 7.99933453606 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe.jC7CNxlVt entropy: 7.99588035337 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.jC7CNxlVt entropy: 7.99560987088 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe.jC7CNxlVt entropy: 7.99504815394 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log.jC7CNxlVt entropy: 7.99965299911 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs.jC7CNxlVt entropy: 7.99963141435 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index.jC7CNxlVt entropy: 7.99930314827 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.jC7CNxlVt entropy: 7.99937356398 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\index.jC7CNxlVt entropy: 7.99933631727 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.jC7CNxlVt entropy: 7.99724191844 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.jC7CNxlVt entropy: 7.99520871505 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm.jC7CNxlVt entropy: 7.99425486193 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.jC7CNxlVt entropy: 7.99306983874 Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl.jC7CNxlVt entropy: 7.99756229276 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\Document.doc.scr.exe entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\AAAAAAAAAAAAAAAAAAAA (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\BBBBBBBBBBBBBBBBBBBB (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\CCCCCCCCCCCCCCCCCCCC (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\DDDDDDDDDDDDDDDDDDDD (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\EEEEEEEEEEEEEEEEEEEE (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\FFFFFFFFFFFFFFFFFFFF (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\GGGGGGGGGGGGGGGGGGGG (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\HHHHHHHHHHHHHHHHHHHH (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\IIIIIIIIIIIIIIIIIIII (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\JJJJJJJJJJJJJJJJJJJJ (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\KKKKKKKKKKKKKKKKKKKK (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\LLLLLLLLLLLLLLLLLLLL (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\MMMMMMMMMMMMMMMMMMMM (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\NNNNNNNNNNNNNNNNNNNN (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\OOOOOOOOOOOOOOOOOOOO (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\PPPPPPPPPPPPPPPPPPPP (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\QQQQQQQQQQQQQQQQQQQQ (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\RRRRRRRRRRRRRRRRRRRR (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\SSSSSSSSSSSSSSSSSSSS (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\TTTTTTTTTTTTTTTTTTTT (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\UUUUUUUUUUUUUUUUUUUU (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\VVVVVVVVVVVVVVVVVVVV (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\WWWWWWWWWWWWWWWWWWWW (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\XXXXXXXXXXXXXXXXXXXX (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\YYYYYYYYYYYYYYYYYYYY (copy) entropy: 7.9972061867 Jump to dropped file
Source: C:\ProgramData\D448.tmp File created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZZZZZZZ (copy) entropy: 7.9972061867 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Document.doc.scr.exe, type: SAMPLE Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.0.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.2.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Document.doc.scr.exe
Sample has a suspicious name (potential lure to open the executable)
Source: Document.doc.scr.exe Static file information: Suspicious name
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BF04B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe, 0_2_00BF04B4
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE6C98 NtQueryInformationToken, 0_2_00BE6C98
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE9880 NtClose, 0_2_00BE9880
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BF7034 CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,CreateThread, 0_2_00BF7034
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEB470 NtProtectVirtualMemory, 0_2_00BEB470
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEDC60 NtTerminateProcess, 0_2_00BEDC60
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEB444 NtSetInformationThread, 0_2_00BEB444
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEE1E8 CreateThread,NtClose, 0_2_00BEE1E8
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEC28C CreateFileW,WriteFile,WriteFile,NtClose,WriteFile,WriteFile, 0_2_00BEC28C
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEDE78 SetThreadPriority,ReadFile,WriteFile,WriteFile,NtClose, 0_2_00BEDE78
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEB674 NtQueryInformationToken, 0_2_00BEB674
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE6668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,DeleteFileW, 0_2_00BE6668
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE7E58 NtQuerySystemInformation,Sleep, 0_2_00BE7E58
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEC3F8 CreateFileW,WriteFile,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,SHChangeNotify,NtClose, 0_2_00BEC3F8
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE97D8 NtQuerySystemInformation, 0_2_00BE97D8
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEB3C0 NtSetInformationThread,NtClose, 0_2_00BEB3C0
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEB734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 0_2_00BEB734
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE8F68 RtlAdjustPrivilege,NtSetInformationThread, 0_2_00BE8F68
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE982A NtQuerySystemInformation, 0_2_00BE982A
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE9811 NtQuerySystemInformation, 0_2_00BE9811
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE7EA3 NtQuerySystemInformation,Sleep, 0_2_00BE7EA3
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE7E8A NtQuerySystemInformation,Sleep, 0_2_00BE7E8A
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE8F66 RtlAdjustPrivilege,NtSetInformationThread, 0_2_00BE8F66
Source: C:\ProgramData\D448.tmp Code function: 9_2_00402760 CreateFileW,ReadFile,NtClose, 9_2_00402760
Source: C:\ProgramData\D448.tmp Code function: 9_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess, 9_2_0040286C
Source: C:\ProgramData\D448.tmp Code function: 9_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW, 9_2_00402F18
Source: C:\ProgramData\D448.tmp Code function: 9_2_00401DC2 NtProtectVirtualMemory, 9_2_00401DC2
Source: C:\ProgramData\D448.tmp Code function: 9_2_00401D94 NtSetInformationThread, 9_2_00401D94
Source: C:\ProgramData\D448.tmp Code function: 9_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 9_2_004016B4
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEA68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,FindVolumeClose, 0_2_00BEA68C
Creates files inside the system directory
Source: C:\Windows\splwow64.exe File created: C:\Windows\system32\spool\PRINTERS\00002.SPL
Detected potential crypto function
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE80B8 0_2_00BE80B8
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE20AC 0_2_00BE20AC
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE4D08 0_2_00BE4D08
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE4D03 0_2_00BE4D03
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE5218 0_2_00BE5218
Enables security privileges
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process token adjusted: Security
Uses 32bit PE files
Source: Document.doc.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: Document.doc.scr.exe, type: SAMPLE Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.0.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.2.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.obj
Source: download.error.jC7CNxlVt.0.dr Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.obj
Source: Apps.index.jC7CNxlVt.0.dr Binary or memory string: s.sln
Source: classification engine Classification label: mal100.rans.phis.spyw.evad.winEXE@9/1664@0/0
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\705c7244f57fd9120d0c7bfadb7dbc11
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
Source: C:\ProgramData\D448.tmp Mutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Windows\splwow64.exe File read: C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-manifest.ini
Source: C:\Users\user\Desktop\Document.doc.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Document.doc.scr.exe ReversingLabs: Detection: 86%
Source: Document.doc.scr.exe Virustotal: Detection: 86%
Source: unknown Process created: C:\Users\user\Desktop\Document.doc.scr.exe "C:\Users\user\Desktop\Document.doc.scr.exe"
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{E6830A1B-81EB-4C98-A5C6-BA0FB0C332A2}.xps" 133585893886890000
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process created: C:\ProgramData\D448.tmp "C:\ProgramData\D448.tmp"
Source: C:\ProgramData\D448.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process created: C:\ProgramData\D448.tmp "C:\ProgramData\D448.tmp" Jump to behavior
Source: C:\ProgramData\D448.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: gpedit.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: dssec.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: dsuiext.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: authz.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: adsldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\D448.tmp Section loaded: apphelp.dll
Source: C:\ProgramData\D448.tmp Section loaded: rstrtmgr.dll
Source: C:\ProgramData\D448.tmp Section loaded: ncrypt.dll
Source: C:\ProgramData\D448.tmp Section loaded: ntasn1.dll
Source: C:\ProgramData\D448.tmp Section loaded: windows.storage.dll
Source: C:\ProgramData\D448.tmp Section loaded: wldp.dll
Source: C:\ProgramData\D448.tmp Section loaded: kernel.appcore.dll
Source: C:\ProgramData\D448.tmp Section loaded: uxtheme.dll
Source: C:\ProgramData\D448.tmp Section loaded: propsys.dll
Source: C:\ProgramData\D448.tmp Section loaded: profapi.dll
Source: C:\ProgramData\D448.tmp Section loaded: edputil.dll
Source: C:\ProgramData\D448.tmp Section loaded: urlmon.dll
Source: C:\ProgramData\D448.tmp Section loaded: iertutil.dll
Source: C:\ProgramData\D448.tmp Section loaded: srvcli.dll
Source: C:\ProgramData\D448.tmp Section loaded: netutils.dll
Source: C:\ProgramData\D448.tmp Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\D448.tmp Section loaded: sspicli.dll
Source: C:\ProgramData\D448.tmp Section loaded: wintypes.dll
Source: C:\ProgramData\D448.tmp Section loaded: appresolver.dll
Source: C:\ProgramData\D448.tmp Section loaded: bcp47langs.dll
Source: C:\ProgramData\D448.tmp Section loaded: slc.dll
Source: C:\ProgramData\D448.tmp Section loaded: userenv.dll
Source: C:\ProgramData\D448.tmp Section loaded: sppc.dll
Source: C:\ProgramData\D448.tmp Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\D448.tmp Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Document.doc.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: Document.doc.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Document.doc.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\C7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2_0 source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\j source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVt source: Document.doc.scr.exe, 00000000.00000003.1705221595.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711836076.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718849776.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1717159713.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718983651.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1703476299.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1710511244.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712643035.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1686082464.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1713658697.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1715185404.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1695151935.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719812875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711697152.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1699369432.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1694880017.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712214810.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1720140260.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1693739427.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719287121.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714611951.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1701452290.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1702773878.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714096402.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1705906875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.d
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr.exe, 00000000.00000003.1939184092.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: Document.doc.scr.exe, 00000000.00000003.1679982073.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2p source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mi_exe_stub.pdb source: Document.doc.scr.exe, 00000000.00000003.1678909255.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1678737768.0000000001474000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBntkrnlmp.pdb.pdb source: Document.doc.scr.exe, 00000000.00000003.1680648061.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVte source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp
PE file contains an invalid checksum
Source: Document.doc.scr.exe Static PE information: real checksum: 0x266aa should be: 0x3bee8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE61EE push esp; retf 0_2_00BE61F6
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE35D5 push 0000006Ah; retf 0_2_00BE3644
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE35D3 push 0000006Ah; retf 0_2_00BE3644
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE356B push 0000006Ah; retf 0_2_00BE3644
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Videos\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Searches\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Saved Games\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Recent\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Pictures\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Pictures\Saved Pictures\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Pictures\Camera Roll\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\OneDrive\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Music\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Links\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Favorites\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Favorites\Links\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Downloads\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\ZQIXMVQGAH\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\ZBEDCJPBEY\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\XZXHAVGRAG\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\VAMYDFPUND\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\SFPUSAFIOL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\ONBQCLYSPU\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\KZWFNRXYKI\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\KATAXZVCPS\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\HTAGVDFUIE\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\DTBZGIOOSO\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\CURQNKVOIX\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Documents\AIXACVYBSB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\ZQIXMVQGAH\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\ZBEDCJPBEY\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\XZXHAVGRAG\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\VAMYDFPUND\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\SFPUSAFIOL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\ONBQCLYSPU\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\KZWFNRXYKI\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\KATAXZVCPS\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\HTAGVDFUIE\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\DTBZGIOOSO\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\CURQNKVOIX\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Desktop\AIXACVYBSB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\Contacts\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Skype\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Skype\RootTools\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\d1702bdf-c0c8-42c3-b6d9-e52fd0a57b16\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\VirtualStore\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Low\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrocef_low\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\SolidDocuments\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\PeerDistRepub\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\ProgramData\D448.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Source: C:\ProgramData\D448.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: doc.scr Static PE information: Document.doc.scr.exe
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE91C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,CloseEventLog,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW, 0_2_00BE91C8
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE10BC 0_2_00BE10BC
Source: C:\ProgramData\D448.tmp Code function: 9_2_00401E28 9_2_00401E28
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE11126
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE11179
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE11328
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE8327
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE10BC rdtsc 0_2_00BE10BC
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE74BC FindFirstFileExW,FindNextFileW, 0_2_00BE74BC
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEA094 FindFirstFileExW,FindClose, 0_2_00BEA094
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE5C24 FindFirstFileW,FindClose,FindNextFileW,FindClose, 0_2_00BE5C24
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE7590 FindFirstFileExW, 0_2_00BE7590
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE766C FindFirstFileExW,GetFileAttributesW,FindNextFileW, 0_2_00BE766C
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEF308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose, 0_2_00BEF308
Source: C:\ProgramData\D448.tmp Code function: 9_2_0040227C FindFirstFileExW, 9_2_0040227C
Source: C:\ProgramData\D448.tmp Code function: 9_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose, 9_2_0040152C
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BEA470 GetLogicalDriveStringsW, 0_2_00BEA470
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\ Jump to behavior
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware workstation 15 player*|vmplayer6438
Source: Document.doc.scr.exe, 00000000.00000003.1683665894.0000000001520000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 10/04/2023 10:58:22.220EXCEL (0x18B4)0x88CMicrosoft ExcelTelemetry Eventb7vzqMediumSendEvent {"EventName":"Office.System.SystemHealthMetadataDeviceConsolidated","Flags":33777031581908737,"InternalSequenceNumber":111,"Time":"2023-10-04T10:58:21.709Z","Rule":"120600.4","Contract":"Office.Legacy.Metadata","Data.ProcTypeText":"x64","Data.ProcessorCount":2,"Data.NumProcShareSingleCore":1,"Data.NumProcShareSingleCache":1,"Data.NumProcPhysCores":2,"Data.ProcSpeedMHz":2000,"Data.IsLaptop":false,"Data.IsTablet":false,"Data.RamMB":4096,"Data.PowerPlatformRole":1,"Data.SysVolSizeMB":50000,"Data.DeviceManufacturer":"VMWare, Inc.","Data.DeviceModel":"VMware20,1","Data.DigitizerInfo":0,"Data.SusClientId":"097C77FB-5D5D-4868-860B-09F4E5B50A53","Data.WindowsSqmMachineId":"92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","Data.ComputerSystemProductUuidHash":"rC2kkStHpWGLvfAgmQZRz4w5ixE=","Data.DeviceProcessorModel":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","Data.HasSpectreFix":true,"Data.BootDiskType":"SSD"}
Source: Document.doc.scr.exe, 00000000.00000003.1677426803.000000000159B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: Document.doc.scr.exe, 00000000.00000003.1674503550.0000000001488000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: Settings.index.jC7CNxlVt.0.dr Binary or memory string: hyper-v
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|*|qemu10642
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe10779
Source: Document.doc.scr.exe, 00000000.00000003.1683665894.0000000001520000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 10/04/2023 10:58:38.204EXCEL (0x1F28)0x1DB0Microsoft ExcelTelemetry Eventb7vzqMediumSendEvent {"EventName":"Office.System.SystemHealthMetadataDeviceConsolidated","Flags":33777031581908737,"InternalSequenceNumber":92,"Time":"2023-10-04T10:58:38.014Z","Rule":"120600.4","Contract":"Office.Legacy.Metadata","Data.ProcTypeText":"x64","Data.ProcessorCount":2,"Data.NumProcShareSingleCore":1,"Data.NumProcShareSingleCache":1,"Data.NumProcPhysCores":2,"Data.ProcSpeedMHz":2000,"Data.IsLaptop":false,"Data.IsTablet":false,"Data.RamMB":4096,"Data.PowerPlatformRole":1,"Data.SysVolSizeMB":50000,"Data.DeviceManufacturer":"VMWare, Inc.","Data.DeviceModel":"VMware20,1","Data.DigitizerInfo":0,"Data.SusClientId":"097C77FB-5D5D-4868-860B-09F4E5B50A53","Data.WindowsSqmMachineId":"92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","Data.ComputerSystemProductUuidHash":"rC2kkStHpWGLvfAgmQZRz4w5ixE=","Data.DeviceProcessorModel":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","Data.HasSpectreFix":true,"Data.BootDiskType":"SSD"}
Source: Settings.index.jC7CNxlVt.0.dr Binary or memory string: hyper-vOs and f
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware.Workstation.vmui7769
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware.Workstation.vmplayer8211
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe8601
Source: Document.doc.scr.exe, 00000000.00000003.1939350231.0000000001404000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.0000000001403000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2091177762.0000000001403000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1933272646.0000000001404000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Document.doc.scr.exe, 00000000.00000003.1625531147.0000000001419000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vm ware8394
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware vsphere client*|vspe6388
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vdi3894
Source: Document.doc.scr.exe, 00000000.00000003.1887493807.00000000015A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,1
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|view5503
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware workstation 12 player*|vmpl5459
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|*|vmware6886
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware vsphere client*|vcenter5038
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *|vmware horizon client*|vmare7220
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware.Horizon.Client8097
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process information queried: ProcessInformation

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Document.doc.scr.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\D448.tmp Thread information set: HideFromDebugger
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE10BC rdtsc 0_2_00BE10BC
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE5A20 LdrLoadDll, 0_2_00BE5A20
Enables debug privileges
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Document.doc.scr.exe Memory written: C:\ProgramData\D448.tmp base: 401000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Document.doc.scr.exe Process created: C:\ProgramData\D448.tmp "C:\ProgramData\D448.tmp" Jump to behavior
Source: C:\ProgramData\D448.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BE10BC cpuid 0_2_00BE10BC
Contains functionality to query locales information (e.g. system language)
Source: C:\ProgramData\D448.tmp Code function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW, 9_2_00403983
Source: C:\Users\user\Desktop\Document.doc.scr.exe Code function: 0_2_00BF04B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe, 0_2_00BF04B4

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\jC7CNxlVt.README.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\jC7CNxlVt.README.txt Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160 Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e.jC7CNxlVt Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1432010 Sample: Document.doc.scr.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for domain / URL 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 9 other signatures 2->46 8 Document.doc.scr.exe 32 1002 2->8         started        12 ONENOTE.EXE 2->12         started        process3 file4 24 C:\Users\user\...\xulstore.json.jC7CNxlVt, data 8->24 dropped 26 C:\Users\...\webappsstore.sqlite.jC7CNxlVt, data 8->26 dropped 28 C:\...\webappsstore.sqlite-shm.jC7CNxlVt, data 8->28 dropped 30 265 other files (261 malicious) 8->30 dropped 48 Found potential ransomware demand text 8->48 50 Found Tor onion address 8->50 52 Contains functionality to detect hardware virtualization (CPUID execution measurement) 8->52 54 8 other signatures 8->54 14 D448.tmp 8->14         started        18 splwow64.exe 8->18         started        signatures5 process6 file7 32 C:\Users\user\...\ZZZZZZZZZZZZZZZZZZZZ (copy), data 14->32 dropped 34 C:\Users\user\...\YYYYYYYYYYYYYYYYYYYY (copy), data 14->34 dropped 36 C:\Users\user\...\XXXXXXXXXXXXXXXXXXXX (copy), data 14->36 dropped 38 24 other malicious files 14->38 dropped 56 Contains functionality to detect hardware virtualization (CPUID execution measurement) 14->56 58 Writes many files with high entropy 14->58 60 Hides threads from debuggers 14->60 62 Deletes itself after installation 14->62 20 cmd.exe 14->20         started        signatures8 process9 process10 22 conhost.exe 20->22         started       
No contacted IP infos