Edit tour

Windows Analysis Report
Document.doc.scr.exe

Overview

General Information

Sample name:	Document.doc.scr.exe
Analysis ID:	1432010
MD5:	407ea767aa26ae13f9ff20d0999c8dda
SHA1:	07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256:	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
Tags:	BlackMatterexescr
Infos:

Detection

LockBit ransomware, TrojanRansom

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected LockBit ransomware

Yara detected TrojanRansom

Changes the wallpaper picture

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Deletes itself after installation

Found Tor onion address

Found potential ransomware demand text

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Overwrites Mozilla Firefox settings

Sample has a suspicious name (potential lure to open the executable)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes many files with high entropy

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Enables security privileges

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Document.doc.scr.exe (PID: 5320 cmdline: "C:\Users\user\Desktop\Document.doc.scr.exe" MD5: 407EA767AA26AE13F9FF20D0999C8DDA)

splwow64.exe (PID: 2696 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

D448.tmp (PID: 1028 cmdline: "C:\ProgramData\D448.tmp" MD5: 294E9F64CB1642DD89229FFF0592856B)

cmd.exe (PID: 932 cmdline: "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ONENOTE.EXE (PID: 3748 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{E6830A1B-81EB-4C98-A5C6-BA0FB0C332A2}.xps" 133585893886890000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Document.doc.scr.exe	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Document.doc.scr.exe	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1841d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0xbc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Document.doc.scr.exe PID: 5320	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: Document.doc.scr.exe PID: 5320	JoeSecurity_TrojanRansom	Yara detected TrojanRansom	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Document.doc.scr.exe.be0000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.0.Document.doc.scr.exe.be0000.0.unpack	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...
0.2.Document.doc.scr.exe.be0000.0.unpack	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
0.2.Document.doc.scr.exe.be0000.0.unpack	Windows_Ransomware_Lockbit_369e1e94	unknown	unknown	0x1861d:$a2: 8B EC 53 56 57 33 C0 8B 5D 14 33 C9 33 D2 8B 75 0C 8B 7D 08 85 F6 74 33 55 8B 6D 10 8A 54 0D 00 02 D3 8A 5C 15 00 8A 54 1D 00 0x4bc:$a3: 53 51 6A 01 58 0F A2 F7 C1 00 00 00 40 0F 95 C0 84 C0 74 09 0F C7 F0 0F C7 F2 59 5B C3 6A 07 58 33 C9 0F A2 F7 C3 00 00 04 00 0F 95 C0 84 C0 74 09 0F C7 F8 0F C7 FA 59 5B C3 0F 31 8B C8 C1 C9 ...

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\ProgramData\jC7CNxlVt.bmp, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Document.doc.scr.exe, ProcessId: 5320, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\WallPaper

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Document.doc.scr.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Source: Document.doc.scr.exe	ReversingLabs: Detection: 86%
Source: Document.doc.scr.exe	Virustotal: Detection: 86%			Perma Link

Machine Learning detection for sample

Source: Document.doc.scr.exe

Joe Sandbox ML: detected

Source: Document.doc.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Videos\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Searches\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Saved Games\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Recent\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Saved Pictures\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Camera Roll\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\OneDrive\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Music\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Links\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\Links\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Downloads\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ZQIXMVQGAH\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ZBEDCJPBEY\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\XZXHAVGRAG\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\VAMYDFPUND\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\SFPUSAFIOL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ONBQCLYSPU\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\KZWFNRXYKI\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\KATAXZVCPS\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\HTAGVDFUIE\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\DTBZGIOOSO\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\CURQNKVOIX\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\AIXACVYBSB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ZQIXMVQGAH\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ZBEDCJPBEY\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\XZXHAVGRAG\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\VAMYDFPUND\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\SFPUSAFIOL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ONBQCLYSPU\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\KZWFNRXYKI\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\KATAXZVCPS\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\HTAGVDFUIE\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\DTBZGIOOSO\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\CURQNKVOIX\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\AIXACVYBSB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Contacts\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Skype\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Skype\RootTools\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\d1702bdf-c0c8-42c3-b6d9-e52fd0a57b16\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\VirtualStore\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Low\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PeerDistRepub\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior

Source: Document.doc.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\C7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2_0 source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\j source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVt source: Document.doc.scr.exe, 00000000.00000003.1705221595.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711836076.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718849776.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1717159713.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718983651.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1703476299.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1710511244.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712643035.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1686082464.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1713658697.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1715185404.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1695151935.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719812875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711697152.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1699369432.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1694880017.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712214810.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1720140260.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1693739427.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719287121.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714611951.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1701452290.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1702773878.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714096402.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1705906875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.d
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr.exe, 00000000.00000003.1939184092.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: Document.doc.scr.exe, 00000000.00000003.1679982073.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2p source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mi_exe_stub.pdb source: Document.doc.scr.exe, 00000000.00000003.1678909255.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1678737768.0000000001474000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBntkrnlmp.pdb.pdb source: Document.doc.scr.exe, 00000000.00000003.1680648061.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVte source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE74BC FindFirstFileExW,FindNextFileW,	0_2_00BE74BC
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEA094 FindFirstFileExW,FindClose,	0_2_00BEA094
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE5C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,	0_2_00BE5C24
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE7590 FindFirstFileExW,	0_2_00BE7590
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,	0_2_00BE766C
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEF308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,	0_2_00BEF308
Source: C:\ProgramData\D448.tmp	Code function: 9_2_0040227C FindFirstFileExW,	9_2_0040227C
Source: C:\ProgramData\D448.tmp	Code function: 9_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,	9_2_0040152C

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BEA470 GetLogicalDriveStringsW,

0_2_00BEA470

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior

Networking

Found Tor onion address

Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionn
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionug
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionJK
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion]YK
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion]lK<<
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionsK/<
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionc
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion.Jr=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion=Jm=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion@J
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionlWJ
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion[

Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: Document.doc.scr.exe, 00000000.00000003.1676814100.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt.uz
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion=Jm=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionsK/
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionug
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion.Jr=
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionJK
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionc
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionlWJ
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionn
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://lockbitsupp.uz
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: Document.doc.scr.exe, 00000000.00000003.1646091627.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr	String found in binary or memory: https://account.bellmedia.c
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.ca
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.aadrm.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.aadrm.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.office.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.onedrive.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://api.scheduler.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://augloop.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cdn.entity.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://config.edge.skype.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cortana.ai/api
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://cr.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://d.docs.live.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dev.cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://devnull.onenote.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://directory.services.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ecs.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/partitioning-exempt-urls/c
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Kinto/kinto-attachment/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://graph.windows.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://graph.windows.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ic3.teams.office.com
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://invites.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://lifecycle.office.com
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr	String found in binary or memory: https://login.live.com
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr, 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://login.windows.local
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://make.powerautomate.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://management.azure.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://management.azure.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://messaging.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ncus.contentsync.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://officeapps.live.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://onedrive.live.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office365.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office365.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-settings.readthedocs.io
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://res.cdn.office.net
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://settings.outlook.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://staging.cortana.ai
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://substrate.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://tasks.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: Document.doc.scr.exe, 00000000.00000003.2091177762.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1734557416.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1907344650.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1661602059.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1908988654.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1910185384.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1650969084.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1648303268.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1912815534.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1675301956.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1670292404.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1933272646.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1674503550.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1738608679.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1650588282.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1939184092.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1739871345.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1939350231.0000000001421000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1725687875.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1727469488.000000000140E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tox.chat/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://webshell.suite.office.com
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://wus2.contentsync.
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Document.doc.scr.exe, 00000000.00000003.1873556931.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/css/privacy_protocol.04de168de977.css
Source: Document.doc.scr.exe, 00000000.00000003.1642208886.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr	String found in binary or memory: https://www.msn.com
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tsn.ca
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	String found in binary or memory: https://www.yammer.com
Source: Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt

Dropped file: !! ALL YOUR FILES ARE ENCRYPTED !!!You can't restore them without our decryptor.Don't try to use any public tools, you could damage the files and lose them forever.To make sure our decryptor works, contact us and decrypt one file for free.Download TOX messenger: https://tox.chat/Add friend in TOX, ID: 36F186C6FDCAAC0CF122E234B5D15F3F42F73568745F251C1306D71EBCA96817770F9B9AC2E6

Jump to dropped file

Yara detected LockBit ransomware

Source: Yara match	File source: Document.doc.scr.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Document.doc.scr.exe PID: 5320, type: MEMORYSTR

Yara detected TrojanRansom

Source: Yara match

File source: Process Memory Space: Document.doc.scr.exe PID: 5320, type: MEMORYSTR

Changes the wallpaper picture

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop WallPaper C:\ProgramData\jC7CNxlVt.bmp

Jump to behavior

Found potential ransomware demand text

Source: Document.doc.scr.exe, 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All your important files are stolen and encrypted!
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted,7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted:7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted07
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedR7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedh7
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedl
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted>6
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encrypted46
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedB6
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedX6
Source: Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : Your data are stolen and encryptedV6

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\AIXACVYBSB\XZXHAVGRAG.pdf	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\XZXHAVGRAG\XZXHAVGRAG.docx	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\BPMLNOBVSB.mp3	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\AIXACVYBSB\AIXACVYBSB.docx	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File moved: C:\Users\user\Desktop\VLZDGUKUTZ.png	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\Settings.ft.jC7CNxlVt entropy: 7.99924167215	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt.jC7CNxlVt entropy: 7.99916926048	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\Settings.ft.jC7CNxlVt entropy: 7.99913941687	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt.jC7CNxlVt entropy: 7.99587528156	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\Apps.ft.jC7CNxlVt entropy: 7.99571821978	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt.jC7CNxlVt entropy: 7.99946553555	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt.jC7CNxlVt entropy: 7.99926475323	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\0.0.filtertrie.intermediate.txt.jC7CNxlVt entropy: 7.99519418233	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome.jC7CNxlVt entropy: 7.99550186667	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB.jC7CNxlVt entropy: 7.99437178053	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt.jC7CNxlVt entropy: 7.99751125068	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\Apps.ft.jC7CNxlVt entropy: 7.99630167281	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\0.0.filtertrie.intermediate.txt.jC7CNxlVt entropy: 7.99520562394	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wct38F0.tmp.jC7CNxlVt entropy: 7.99775158339	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt.jC7CNxlVt entropy: 7.99802208777	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wct443C.tmp.jC7CNxlVt entropy: 7.99684378584	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.jC7CNxlVt entropy: 7.99764639052	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wctE4A4.tmp.jC7CNxlVt entropy: 7.99777847377	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wctDB2E.tmp.jC7CNxlVt entropy: 7.99717599045	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wctEA40.tmp.jC7CNxlVt entropy: 7.99728743364	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wct49A7.tmp.jC7CNxlVt entropy: 7.9970471531	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\wctF411.tmp.jC7CNxlVt entropy: 7.9972650729	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{16988324-21C9-05B2-CA60-9B4EC72739D8}.jC7CNxlVt entropy: 7.99474390029	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help.jC7CNxlVt entropy: 7.99513294948	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_.jC7CNxlVt entropy: 7.99487891406	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_mpnpojknpmnjdcgaaiekajbnjb.jC7CNxlVt entropy: 7.99505067124	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_kefjledonknomlcbpllchaibag.jC7CNxlVt entropy: 7.99525109467	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_fmgjjmmmlfcabfkddbjimcfncm.jC7CNxlVt entropy: 7.99513540808	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_fhihpiojkboajapmgkhlnakfjf.jC7CNxlVt entropy: 7.99457877648	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_agimnkijcamfeangaknmldooml.jC7CNxlVt entropy: 7.99454862868	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Chrome__crx_aghbiahbpaeidepookljebhfak.jC7CNxlVt entropy: 7.99512466125	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\308046B0AF4A39CB;PrivateBrowsingAUMID.jC7CNxlVt entropy: 7.99508738469	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E8B84CFB-B069-BC13-F88F-170904F645E5}.jC7CNxlVt entropy: 7.99537949105	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{E7A33582-E908-3379-5368-5999454DCD83}.jC7CNxlVt entropy: 7.99521302446	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{DAA168DE-4306-C8BC-8C11-B596240BDDED}.jC7CNxlVt entropy: 7.99600003865	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C804BBA7-FA5F-CBF7-8B55-2096E5F972CB}.jC7CNxlVt entropy: 7.99438343854	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{C1C6F8AC-40A3-0F5C-146F-65A9DC70BBB4}.jC7CNxlVt entropy: 7.99469315973	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BD3F924E-55FB-A1BA-9DE6-B50F9F2460AC}.jC7CNxlVt entropy: 7.99536227861	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{923DD477-5846-686B-A659-0FCCD73851A8}.jC7CNxlVt entropy: 7.99484256107	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{BB044BFD-25B7-2FAA-22A8-6371A93E0456}.jC7CNxlVt entropy: 7.99434698097	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8AA47365-B2B3-1961-69EB-F866E376B12F}.jC7CNxlVt entropy: 7.99534877449	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{8ABD94FB-E7D6-84A6-A997-C918EDDE0AE5}.jC7CNxlVt entropy: 7.99548532046	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{116229A7-9A3B-2078-DB5F-B5A20811242C}.jC7CNxlVt entropy: 7.99548160641	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696334775820156800_6EB929AF-656E-4F43-9731-EA7753E1F1BD.log.jC7CNxlVt entropy: 7.99126919535	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696334923056622400_BD966DD2-7850-423A-B1D8-7882CE1A6D15.log.jC7CNxlVt entropy: 7.99899371601	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_InternetExplorer_Default.jC7CNxlVt entropy: 7.99471348972	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417072488237400_C12D9B44-3468-47BC-9418-BF0A674A2B2F.log.jC7CNxlVt entropy: 7.99920552342	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{F1118828-A0CC-5FEB-85C9-DBFFDF98434A}.jC7CNxlVt entropy: 7.99491869986	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417101742322600_290EFEE9-C25A-4857-9F32-D7E6D51B7C09.log.jC7CNxlVt entropy: 7.99908159873	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App1696417118050662300_8475A8C9-2447-4BC4-8E46-350AA0582B94.log.jC7CNxlVt entropy: 7.99879038893	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OUTLOOK_EXE_15.jC7CNxlVt entropy: 7.99484994689	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_ONENOTE_EXE_15.jC7CNxlVt entropy: 7.99484289482	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_OcPubMgr_exe_15.jC7CNxlVt entropy: 7.99540865791	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSPUB_EXE_15.jC7CNxlVt entropy: 7.99473186797	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSOUC_EXE_15.jC7CNxlVt entropy: 7.9952028162	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_msoev_exe_15.jC7CNxlVt entropy: 7.99475206329	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_MSACCESS_EXE_15.jC7CNxlVt entropy: 7.99528224786	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\App_1696413198165042300_AA3FCB9C-CF1A-4407-8A94-A7D6C220021F.log.jC7CNxlVt entropy: 7.99887297564	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.jC7CNxlVt entropy: 7.99334162009	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_lync_exe_15.jC7CNxlVt entropy: 7.9948391078	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2023-10-04 13-00-50-743.log.jC7CNxlVt entropy: 7.99077474112	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_EXCEL_EXE_15.jC7CNxlVt entropy: 7.99561898898	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15.jC7CNxlVt entropy: 7.99584091099	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SPREADSHEETCOMPARE_EXE_15.jC7CNxlVt entropy: 7.99467960759	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsCalculator_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99552035638	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsAlarms_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99514409216	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop.jC7CNxlVt entropy: 7.99462038558	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15.jC7CNxlVt entropy: 7.99540283131	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.jC7CNxlVt entropy: 7.99529054179	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_POWERPNT_EXE_15.jC7CNxlVt entropy: 7.99515790008	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_MediaPlayer32.jC7CNxlVt entropy: 7.99533840617	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer.jC7CNxlVt entropy: 7.99452677495	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel.jC7CNxlVt entropy: 7.99511357476	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Computer.jC7CNxlVt entropy: 7.99548553849	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_AdministrativeTools.jC7CNxlVt entropy: 7.99497582878	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsStore_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99474576978	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_WindowsSoundRecorder_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99555784153	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite.jC7CNxlVt entropy: 7.99938991158	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite.jC7CNxlVt entropy: 7.99812928036	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm.jC7CNxlVt entropy: 7.99457825389	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json.jC7CNxlVt entropy: 7.9950710788	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm.jC7CNxlVt entropy: 7.9941473817	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db.jC7CNxlVt entropy: 7.99935317412	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite.jC7CNxlVt entropy: 7.99824885033	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite.jC7CNxlVt entropy: 7.9971172896	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm.jC7CNxlVt entropy: 7.99402696041	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite.jC7CNxlVt entropy: 7.99826307285	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm.jC7CNxlVt entropy: 7.99501442195	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite.jC7CNxlVt entropy: 7.99865317803	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.jC7CNxlVt entropy: 7.99606416884	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.jC7CNxlVt entropy: 7.99385745121	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.jC7CNxlVt entropy: 7.99632610207	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.jC7CNxlVt entropy: 7.9953891329	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.jC7CNxlVt entropy: 7.99586231709	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.jC7CNxlVt entropy: 7.99429265165	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.jC7CNxlVt entropy: 7.99678680247	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.jC7CNxlVt entropy: 7.99449233071	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jC7CNxlVt entropy: 7.99621407383	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598\13723.jC7CNxlVt entropy: 7.9958708614	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.jC7CNxlVt entropy: 7.99491861153	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.jC7CNxlVt entropy: 7.99483146011	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\2275F9569F28969C8FC69F9660A75ADD1F8B963B.jC7CNxlVt entropy: 7.99180646076	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\2B8DB5289EFF0A466C21F47412A322A36CEB5044.jC7CNxlVt entropy: 7.99840172983	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\289DBE90018D682BDBFD59A3CAACE9EE538234FD.jC7CNxlVt entropy: 7.99184137632	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\252CE8AC445A184A1F4A1C6C6D4ADB8AE41B7776.jC7CNxlVt entropy: 7.99759560548	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\22F59957B7E08CD6CCFED6AF2A1DF26FE157DF40.jC7CNxlVt entropy: 7.99838363669	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084.jC7CNxlVt entropy: 7.99759497552	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\3C9B2D192D535C347CDA9FB12BFC88FD40CF0382.jC7CNxlVt entropy: 7.99817444782	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\62FC1E8DCE1991EEB55DE9EFADF47EA578A22AB5.jC7CNxlVt entropy: 7.99289299885	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\44230749A38B6989F56217B435A03E84CCADE62D.jC7CNxlVt entropy: 7.99315241269	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\BDE5E55BCB4604200C70FB908FA76903C94590D3.jC7CNxlVt entropy: 7.99843877927	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4.jC7CNxlVt entropy: 7.99120527429	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F.jC7CNxlVt entropy: 7.99529010681	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries\E707EC8A256322E87908664A49F800B7B48E0961.jC7CNxlVt entropy: 7.99155975092	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.jC7CNxlVt entropy: 7.99609399172	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed\11719.jC7CNxlVt entropy: 7.99419171554	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.jC7CNxlVt entropy: 7.99745047365	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1.jC7CNxlVt entropy: 7.99939529516	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\index.jC7CNxlVt entropy: 7.99923561046	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Shell_RunDialog.jC7CNxlVt entropy: 7.99420693218	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_RemoteDesktop.jC7CNxlVt entropy: 7.99507827028	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Photos_8wekyb3d8bbwe!App.jC7CNxlVt entropy: 7.99392350591	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MSEdge.jC7CNxlVt entropy: 7.99475420587	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_MdSched_exe.jC7CNxlVt entropy: 7.99552259954	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_mspaint_exe.jC7CNxlVt entropy: 7.99533285165	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msinfo32_exe.jC7CNxlVt entropy: 7.99433212335	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_magnify_exe.jC7CNxlVt entropy: 7.99499141084	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_iscsicpl_exe.jC7CNxlVt entropy: 7.99418100373	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_dfrgui_exe.jC7CNxlVt entropy: 7.9948073713	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.jC7CNxlVt entropy: 7.99483550575	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cleanmgr_exe.jC7CNxlVt entropy: 7.99459935545	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_cmd_exe.jC7CNxlVt entropy: 7.99497350251	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe.jC7CNxlVt entropy: 7.99502461523	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_msconfig_exe.jC7CNxlVt entropy: 7.99470960011	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WFS_exe.jC7CNxlVt entropy: 7.99445822545	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_SnippingTool_exe.jC7CNxlVt entropy: 7.99422636889	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc.jC7CNxlVt entropy: 7.99464075542	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_RecoveryDrive_exe.jC7CNxlVt entropy: 7.99532342466	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_quickassist_exe.jC7CNxlVt entropy: 7.99455855967	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_psr_exe.jC7CNxlVt entropy: 7.99525636834	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_printmanagement_msc.jC7CNxlVt entropy: 7.99548440016	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_odbcad32_exe.jC7CNxlVt entropy: 7.99483249281	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_osk_exe.jC7CNxlVt entropy: 7.99560932007	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_notepad_exe.jC7CNxlVt entropy: 7.99535850542	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_narrator_exe.jC7CNxlVt entropy: 7.9950320775	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_exe.jC7CNxlVt entropy: 7.99540839943	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_x64_exe.jC7CNxlVt entropy: 7.99537669522	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Au3Info_exe.jC7CNxlVt entropy: 7.99530277436	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Windows NT_Accessories_wordpad_exe.jC7CNxlVt entropy: 7.99547471331	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Common Files_Microsoft Shared_Ink_mip_exe.jC7CNxlVt entropy: 7.99485412095	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_Adobe_Acrobat DC_Acrobat_Acrobat_exe.jC7CNxlVt entropy: 7.99475500883	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7zFM_exe.jC7CNxlVt entropy: 7.99496082952	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_7-Zip_7-zip_chm.jC7CNxlVt entropy: 7.99429785307	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.jC7CNxlVt entropy: 7.99571809697	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.jC7CNxlVt entropy: 7.99552924913	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WF_msc.jC7CNxlVt entropy: 7.99498046183	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_odbcad32_exe.jC7CNxlVt entropy: 7.99545516285	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_Java_jre-1_8_bin_javacpl_exe.jC7CNxlVt entropy: 7.99497295912	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_SciTE_SciTE_exe.jC7CNxlVt entropy: 7.99534775154	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Extras.jC7CNxlVt entropy: 7.99479086452	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Examples.jC7CNxlVt entropy: 7.99522017998	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt_chm.jC7CNxlVt entropy: 7.99567538687	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoItX_AutoItX_chm.jC7CNxlVt entropy: 7.9952840207	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_x64_exe.jC7CNxlVt entropy: 7.99517945582	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt3_exe.jC7CNxlVt entropy: 7.99524115439	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_AutoIt v3 Website_url.jC7CNxlVt entropy: 7.9953316903	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_AutoIt3_Aut2Exe_Aut2exe_x64_exe.jC7CNxlVt entropy: 7.99532659724	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb00001.log.jC7CNxlVt entropy: 7.99957823513	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00001.jrs.jC7CNxlVt entropy: 7.99970728937	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.log.jC7CNxlVt entropy: 7.99962404246	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1.jC7CNxlVt entropy: 7.99933453606	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{F38BF404-1D43-42F2-9305-67DE0B28FC23}_regedit_exe.jC7CNxlVt entropy: 7.99588035337	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_PowerShell_ISE_exe.jC7CNxlVt entropy: 7.99560987088	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe.jC7CNxlVt entropy: 7.99504815394	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.log.jC7CNxlVt entropy: 7.99965299911	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edbres00002.jrs.jC7CNxlVt entropy: 7.99963141435	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\index.jC7CNxlVt entropy: 7.99930314827	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.jC7CNxlVt entropy: 7.99937356398	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache\index.jC7CNxlVt entropy: 7.99933631727	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing_startedInBGMode.etl.jC7CNxlVt entropy: 7.99724191844	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite-shm.jC7CNxlVt entropy: 7.99520871505	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-shm.jC7CNxlVt entropy: 7.99425486193	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.jC7CNxlVt entropy: 7.99306983874	Jump to dropped file
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl.jC7CNxlVt entropy: 7.99756229276	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\Document.doc.scr.exe entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\AAAAAAAAAAAAAAAAAAAA (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\BBBBBBBBBBBBBBBBBBBB (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\CCCCCCCCCCCCCCCCCCCC (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\DDDDDDDDDDDDDDDDDDDD (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\EEEEEEEEEEEEEEEEEEEE (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\FFFFFFFFFFFFFFFFFFFF (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\GGGGGGGGGGGGGGGGGGGG (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\HHHHHHHHHHHHHHHHHHHH (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\IIIIIIIIIIIIIIIIIIII (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\JJJJJJJJJJJJJJJJJJJJ (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\KKKKKKKKKKKKKKKKKKKK (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\LLLLLLLLLLLLLLLLLLLL (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\MMMMMMMMMMMMMMMMMMMM (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\NNNNNNNNNNNNNNNNNNNN (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\OOOOOOOOOOOOOOOOOOOO (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\PPPPPPPPPPPPPPPPPPPP (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\QQQQQQQQQQQQQQQQQQQQ (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\RRRRRRRRRRRRRRRRRRRR (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\SSSSSSSSSSSSSSSSSSSS (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\TTTTTTTTTTTTTTTTTTTT (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\UUUUUUUUUUUUUUUUUUUU (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\VVVVVVVVVVVVVVVVVVVV (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\WWWWWWWWWWWWWWWWWWWW (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\XXXXXXXXXXXXXXXXXXXX (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\YYYYYYYYYYYYYYYYYYYY (copy) entropy: 7.9972061867	Jump to dropped file
Source: C:\ProgramData\D448.tmp	File created: C:\Users\user\Desktop\ZZZZZZZZZZZZZZZZZZZZ (copy) entropy: 7.9972061867	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: Document.doc.scr.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.0.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 0.2.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown
Source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document.doc.scr.exe

Sample has a suspicious name (potential lure to open the executable)

Source: Document.doc.scr.exe

Static file information: Suspicious name

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BF04B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,	0_2_00BF04B4
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE6C98 NtQueryInformationToken,	0_2_00BE6C98
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE9880 NtClose,	0_2_00BE9880
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BF7034 CreateThread,CreateThread,CreateThread,CreateThread,NtTerminateThread,CreateThread,CreateThread,	0_2_00BF7034
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEB470 NtProtectVirtualMemory,	0_2_00BEB470
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEDC60 NtTerminateProcess,	0_2_00BEDC60
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEB444 NtSetInformationThread,	0_2_00BEB444
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEE1E8 CreateThread,NtClose,	0_2_00BEE1E8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEC28C CreateFileW,WriteFile,WriteFile,NtClose,WriteFile,WriteFile,	0_2_00BEC28C
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEDE78 SetThreadPriority,ReadFile,WriteFile,WriteFile,NtClose,	0_2_00BEDE78
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEB674 NtQueryInformationToken,	0_2_00BEB674
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE6668 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,NtFreeVirtualMemory,DeleteFileW,	0_2_00BE6668
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE7E58 NtQuerySystemInformation,Sleep,	0_2_00BE7E58
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEC3F8 CreateFileW,WriteFile,RegCreateKeyExW,RegSetValueExW,RegCreateKeyExW,RegSetValueExW,SHChangeNotify,NtClose,	0_2_00BEC3F8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE97D8 NtQuerySystemInformation,	0_2_00BE97D8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEB3C0 NtSetInformationThread,NtClose,	0_2_00BEB3C0
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEB734 NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	0_2_00BEB734
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE8F68 RtlAdjustPrivilege,NtSetInformationThread,	0_2_00BE8F68
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE982A NtQuerySystemInformation,	0_2_00BE982A
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE9811 NtQuerySystemInformation,	0_2_00BE9811
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE7EA3 NtQuerySystemInformation,Sleep,	0_2_00BE7EA3
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE7E8A NtQuerySystemInformation,Sleep,	0_2_00BE7E8A
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE8F66 RtlAdjustPrivilege,NtSetInformationThread,	0_2_00BE8F66
Source: C:\ProgramData\D448.tmp	Code function: 9_2_00402760 CreateFileW,ReadFile,NtClose,	9_2_00402760
Source: C:\ProgramData\D448.tmp	Code function: 9_2_0040286C NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	9_2_0040286C
Source: C:\ProgramData\D448.tmp	Code function: 9_2_00402F18 CreateFileW,NtAllocateVirtualMemory,WriteFile,SetFilePointerEx,SetFilePointerEx,NtFreeVirtualMemory,NtClose,DeleteFileW,	9_2_00402F18
Source: C:\ProgramData\D448.tmp	Code function: 9_2_00401DC2 NtProtectVirtualMemory,	9_2_00401DC2
Source: C:\ProgramData\D448.tmp	Code function: 9_2_00401D94 NtSetInformationThread,	9_2_00401D94
Source: C:\ProgramData\D448.tmp	Code function: 9_2_004016B4 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	9_2_004016B4

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BEA68C: GetVolumeNameForVolumeMountPointW,FindFirstVolumeW,GetVolumePathNamesForVolumeNameW,GetDriveTypeW,CreateFileW,DeviceIoControl,FindVolumeClose,

0_2_00BEA68C

Source: C:\Windows\splwow64.exe

File created: C:\Windows\system32\spool\PRINTERS\00002.SPL

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE80B8	0_2_00BE80B8
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE20AC	0_2_00BE20AC
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE4D08	0_2_00BE4D08
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE4D03	0_2_00BE4D03
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE5218	0_2_00BE5218

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Process token adjusted: Security

Source: Document.doc.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Document.doc.scr.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.0.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 0.2.Document.doc.scr.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18
Source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Lockbit_369e1e94 reference_sample = d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee, os = windows, severity = x86, creation_date = 2022-07-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Lockbit, fingerprint = 9cf4c112c0ee708ae64052926681e8351f1ccefeb558c41e875dbd9e4bdcb5f2, id = 369e1e94-3fbb-4828-bb78-89d26e008105, last_modified = 2022-07-18

Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\sdiapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uwfapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\debugport.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blktable.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fveretailunlock.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fvelog.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blockapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\seccmd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fve.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbusapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nkp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\usb.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\disk.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\locate.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\block.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\edriveapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\fileapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udp.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\device.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\serialapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vmbus.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blocksup.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\blkcache.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\uriapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\guiddef.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\tcglib.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\ramdiskvhd.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vdiskapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\devlog.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhdutil.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd2.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\udpapi.objd:\os\public\amd64fre\onecore\internal\minwin\priv_sdk\lib\amd64\boot\efi\device.lib
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\partition.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\nbp.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\diskapi.obj
Source: download.error.jC7CNxlVt.0.dr	Binary string: d:\os\obj\amd64fre\minkernel\boot\environ\lib\io\device\efi\objfre\amd64\vhd.obj

Source: Apps.index.jC7CNxlVt.0.dr

Binary or memory string: s.sln

Source: classification engine

Classification label: mal100.rans.phis.spyw.evad.winEXE@9/1664@0/0

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File created: C:\Users\jC7CNxlVt.README.txt

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\705c7244f57fd9120d0c7bfadb7dbc11
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
Source: C:\ProgramData\D448.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File created: C:\Users\user\AppData\Local\Temp\jC7CNxlVt.README.txt

Jump to behavior

Source: C:\Windows\splwow64.exe

File read: C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\SendToOneNote-manifest.ini

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Document.doc.scr.exe	ReversingLabs: Detection: 86%
Source: Document.doc.scr.exe	Virustotal: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\Document.doc.scr.exe "C:\Users\user\Desktop\Document.doc.scr.exe"
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{E6830A1B-81EB-4C98-A5C6-BA0FB0C332A2}.xps" 133585893886890000
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\ProgramData\D448.tmp "C:\ProgramData\D448.tmp"
Source: C:\ProgramData\D448.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\ProgramData\D448.tmp "C:\ProgramData\D448.tmp"	Jump to behavior
Source: C:\ProgramData\D448.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: adsldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\D448.tmp	Section loaded: apphelp.dll
Source: C:\ProgramData\D448.tmp	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\D448.tmp	Section loaded: ncrypt.dll
Source: C:\ProgramData\D448.tmp	Section loaded: ntasn1.dll
Source: C:\ProgramData\D448.tmp	Section loaded: windows.storage.dll
Source: C:\ProgramData\D448.tmp	Section loaded: wldp.dll
Source: C:\ProgramData\D448.tmp	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\D448.tmp	Section loaded: uxtheme.dll
Source: C:\ProgramData\D448.tmp	Section loaded: propsys.dll
Source: C:\ProgramData\D448.tmp	Section loaded: profapi.dll
Source: C:\ProgramData\D448.tmp	Section loaded: edputil.dll
Source: C:\ProgramData\D448.tmp	Section loaded: urlmon.dll
Source: C:\ProgramData\D448.tmp	Section loaded: iertutil.dll
Source: C:\ProgramData\D448.tmp	Section loaded: srvcli.dll
Source: C:\ProgramData\D448.tmp	Section loaded: netutils.dll
Source: C:\ProgramData\D448.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\D448.tmp	Section loaded: sspicli.dll
Source: C:\ProgramData\D448.tmp	Section loaded: wintypes.dll
Source: C:\ProgramData\D448.tmp	Section loaded: appresolver.dll
Source: C:\ProgramData\D448.tmp	Section loaded: bcp47langs.dll
Source: C:\ProgramData\D448.tmp	Section loaded: slc.dll
Source: C:\ProgramData\D448.tmp	Section loaded: userenv.dll
Source: C:\ProgramData\D448.tmp	Section loaded: sppc.dll
Source: C:\ProgramData\D448.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\D448.tmp	Section loaded: onecoreuapcommonproxystub.dll

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe

File written: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: Document.doc.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Document.doc.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ice\HarddiskVolume3\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\C7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2_0 source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\j source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVt source: Document.doc.scr.exe, 00000000.00000003.1705221595.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711836076.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718849776.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1717159713.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1718983651.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1703476299.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1710511244.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712643035.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1686082464.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1713658697.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1715185404.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1695151935.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719812875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1711697152.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1699369432.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1694880017.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1712214810.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1720140260.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1693739427.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1719287121.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714611951.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1701452290.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1702773878.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1714096402.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1705906875.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Document.d
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: Document.doc.scr.exe, 00000000.00000003.1939184092.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: Document.doc.scr.exe, 00000000.00000003.1679982073.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2p source: Document.doc.scr.exe, 00000000.00000003.1682283519.00000000014FE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mi_exe_stub.pdb source: Document.doc.scr.exe, 00000000.00000003.1678909255.0000000001487000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1678737768.0000000001474000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBntkrnlmp.pdb.pdb source: Document.doc.scr.exe, 00000000.00000003.1680648061.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error.jC7CNxlVte source: Document.doc.scr.exe, 00000000.00000003.1680648061.000000000143D000.00000004.00000020.00020000.00000000.sdmp

Source: Document.doc.scr.exe

Static PE information: real checksum: 0x266aa should be: 0x3bee8

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE61EE push esp; retf	0_2_00BE61F6
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE35D5 push 0000006Ah; retf	0_2_00BE3644
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE35D3 push 0000006Ah; retf	0_2_00BE3644
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE356B push 0000006Ah; retf	0_2_00BE3644

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Videos\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Searches\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Saved Games\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Recent\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Saved Pictures\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Pictures\Camera Roll\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\OneDrive\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Music\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Links\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Favorites\Links\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Downloads\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ZQIXMVQGAH\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ZBEDCJPBEY\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\XZXHAVGRAG\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\VAMYDFPUND\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\SFPUSAFIOL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\ONBQCLYSPU\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\KZWFNRXYKI\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\KATAXZVCPS\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\HTAGVDFUIE\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\DTBZGIOOSO\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\CURQNKVOIX\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Documents\AIXACVYBSB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ZQIXMVQGAH\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ZBEDCJPBEY\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\XZXHAVGRAG\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\VAMYDFPUND\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\SFPUSAFIOL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\ONBQCLYSPU\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\KZWFNRXYKI\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\KATAXZVCPS\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\HTAGVDFUIE\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\DTBZGIOOSO\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\CURQNKVOIX\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Desktop\AIXACVYBSB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\Contacts\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Skype\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Skype\RootTools\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending Pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\f2eb6c79-671d-4de2-b7be-3b2eea7abc47\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\6d9d9777-7ded-4768-8191-9a707d72b009\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\61f56613-c62c-4b17-84dd-62b60d5776aa\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\com.adobe.dunamis\56079431-ea46-4833-94f9-1ff5658cdb1c\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Sonar\SonarCC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\RTTransfer\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2CC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\CRLogs\crashlogs\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\Preflight Acrobat Continuous\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\JSCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Forms\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Collab\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Linguistics\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\VideoDecodeStats\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\shared_proto_db\metadata\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\wasm\index-dir\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\Cache_Data\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\blob_storage\d1702bdf-c0c8-42c3-b6d9-e52fd0a57b16\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\assets\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\Acrobat\DesktopNotification\NotificationsDB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\VirtualStore\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\mozilla-temp-files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Low\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\SearchEmbdIndex\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrocef_low\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\Adobe\Acrobat\DC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\SolidDocuments\Acrobat\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\SettingsContainer\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Microsoft.WindowsAlarms\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Licenses\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Publishers\8wekyb3d8bbwe\Fonts\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\PeerDistRepub\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxSpeechToTextOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxIdentityProvider_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\BackgroundTransferApi\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\Flighting\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c58f7468-b990-418e-a4ba-ca3568b01c70}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2c33d893-bc92-487f-aede-304ebfc79509}\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy\AC\Temp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\TempState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\SystemAppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\RoamingState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalCache\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AppData\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\AC\jC7CNxlVt.README.txt	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\ProgramData\D448.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Source: C:\ProgramData\D448.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: doc.scr

Static PE information: Document.doc.scr.exe

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BE91C8 RegCreateKeyExW,RegEnumKeyW,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,OpenEventLogW,ClearEventLogW,CloseEventLog,RegCreateKeyExW,RegEnumKeyW,OpenEventLogW,ClearEventLogW,

0_2_00BE91C8

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\D448.tmp	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE10BC		0_2_00BE10BC
Source: C:\ProgramData\D448.tmp	Code function: 9_2_00401E28		9_2_00401E28

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE11126
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE11179
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE11328
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE8327

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BE10BC rdtsc

0_2_00BE10BC

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE74BC FindFirstFileExW,FindNextFileW,	0_2_00BE74BC
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEA094 FindFirstFileExW,FindClose,	0_2_00BEA094
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE5C24 FindFirstFileW,FindClose,FindNextFileW,FindClose,	0_2_00BE5C24
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE7590 FindFirstFileExW,	0_2_00BE7590
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BE766C FindFirstFileExW,GetFileAttributesW,FindNextFileW,	0_2_00BE766C
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Code function: 0_2_00BEF308 GetFileAttributesW,SetThreadPriority,FindFirstFileExW,FindNextFileW,FindClose,	0_2_00BEF308
Source: C:\ProgramData\D448.tmp	Code function: 9_2_0040227C FindFirstFileExW,	9_2_0040227C
Source: C:\ProgramData\D448.tmp	Code function: 9_2_0040152C FindFirstFileExW,FindClose,FindNextFileW,FindClose,	9_2_0040152C

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BEA470 GetLogicalDriveStringsW,

0_2_00BEA470

Source: C:\Windows\splwow64.exe

Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Local\Temp\Diagnostics\EXCEL\	Jump to behavior

Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 15 player\|vmplayer6438
Source: Document.doc.scr.exe, 00000000.00000003.1683665894.0000000001520000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 10:58:22.220EXCEL (0x18B4)0x88CMicrosoft ExcelTelemetry Eventb7vzqMediumSendEvent {"EventName":"Office.System.SystemHealthMetadataDeviceConsolidated","Flags":33777031581908737,"InternalSequenceNumber":111,"Time":"2023-10-04T10:58:21.709Z","Rule":"120600.4","Contract":"Office.Legacy.Metadata","Data.ProcTypeText":"x64","Data.ProcessorCount":2,"Data.NumProcShareSingleCore":1,"Data.NumProcShareSingleCache":1,"Data.NumProcPhysCores":2,"Data.ProcSpeedMHz":2000,"Data.IsLaptop":false,"Data.IsTablet":false,"Data.RamMB":4096,"Data.PowerPlatformRole":1,"Data.SysVolSizeMB":50000,"Data.DeviceManufacturer":"VMWare, Inc.","Data.DeviceModel":"VMware20,1","Data.DigitizerInfo":0,"Data.SusClientId":"097C77FB-5D5D-4868-860B-09F4E5B50A53","Data.WindowsSqmMachineId":"92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","Data.ComputerSystemProductUuidHash":"rC2kkStHpWGLvfAgmQZRz4w5ixE=","Data.DeviceProcessorModel":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","Data.HasSpectreFix":true,"Data.BootDiskType":"SSD"}
Source: Document.doc.scr.exe, 00000000.00000003.1677426803.000000000159B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Document.doc.scr.exe, 00000000.00000003.1674503550.0000000001488000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: Settings.index.jC7CNxlVt.0.dr	Binary or memory string: hyper-v
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|\|qemu10642
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe10779
Source: Document.doc.scr.exe, 00000000.00000003.1683665894.0000000001520000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 10:58:38.204EXCEL (0x1F28)0x1DB0Microsoft ExcelTelemetry Eventb7vzqMediumSendEvent {"EventName":"Office.System.SystemHealthMetadataDeviceConsolidated","Flags":33777031581908737,"InternalSequenceNumber":92,"Time":"2023-10-04T10:58:38.014Z","Rule":"120600.4","Contract":"Office.Legacy.Metadata","Data.ProcTypeText":"x64","Data.ProcessorCount":2,"Data.NumProcShareSingleCore":1,"Data.NumProcShareSingleCache":1,"Data.NumProcPhysCores":2,"Data.ProcSpeedMHz":2000,"Data.IsLaptop":false,"Data.IsTablet":false,"Data.RamMB":4096,"Data.PowerPlatformRole":1,"Data.SysVolSizeMB":50000,"Data.DeviceManufacturer":"VMWare, Inc.","Data.DeviceModel":"VMware20,1","Data.DigitizerInfo":0,"Data.SusClientId":"097C77FB-5D5D-4868-860B-09F4E5B50A53","Data.WindowsSqmMachineId":"92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A","Data.ComputerSystemProductUuidHash":"rC2kkStHpWGLvfAgmQZRz4w5ixE=","Data.DeviceProcessorModel":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","Data.HasSpectreFix":true,"Data.BootDiskType":"SSD"}
Source: Settings.index.jC7CNxlVt.0.dr	Binary or memory string: hyper-vOs and f
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.Workstation.vmui7769
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.Workstation.vmplayer8211
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe8601
Source: Document.doc.scr.exe, 00000000.00000003.1939350231.0000000001404000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000002.2101878302.0000000001403000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.2091177762.0000000001403000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1933272646.0000000001404000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Document.doc.scr.exe, 00000000.00000003.1625531147.0000000001419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vm ware8394
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vspe6388
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vdi3894
Source: Document.doc.scr.exe, 00000000.00000003.1887493807.00000000015A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|view5503
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware workstation 12 player\|vmpl5459
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|\|vmware6886
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware vsphere client\|vcenter5038
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|vmware horizon client\|vmare7220
Source: Document.doc.scr.exe, 00000000.00000003.1743563853.0000000001540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.Horizon.Client8097

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Process information queried: ProcessInformation

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\D448.tmp	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BE10BC rdtsc

0_2_00BE10BC

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BE5A20 LdrLoadDll,

0_2_00BE5A20

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Memory written: C:\ProgramData\D448.tmp base: 401000

Jump to behavior

Source: C:\Users\user\Desktop\Document.doc.scr.exe	Process created: C:\ProgramData\D448.tmp "C:\ProgramData\D448.tmp"			Jump to behavior
Source: C:\ProgramData\D448.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BE10BC cpuid

0_2_00BE10BC

Source: C:\ProgramData\D448.tmp

Code function: EntryPoint,ExitProcess,GetModuleHandleW,GetCommandLineW,GetModuleHandleA,GetCommandLineW,GetLocaleInfoW,GetLastError,FreeLibrary,FreeLibrary,GetProcAddress,CreateWindowExW,DefWindowProcW,GetWindowTextW,LoadMenuW,LoadMenuW,DefWindowProcW,SetTextColor,GetTextCharset,TextOutW,SetTextColor,GetTextColor,CreateFontW,GetTextColor,CreateDIBitmap,SelectObject,GetTextColor,CreateFontW,

9_2_00403983

Source: C:\Users\user\Desktop\Document.doc.scr.exe

Code function: 0_2_00BF04B4 GetTempFileNameW,CreateFileW,WriteFile,CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,CreateNamedPipeW,ResumeThread,ConnectNamedPipe,

0_2_00BF04B4

Lowering of HIPS / PFW / Operating System Security Settings

Overwrites Mozilla Firefox settings

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\jC7CNxlVt.README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\jC7CNxlVt.README.txt	Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\.metadata-v2.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829744.7278f154-e8f4-4235-84c5-c5c1c6af0084.main.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829702.cde8135c-88c3-4c34-8670-7ef017742548.new-profile.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\6fc53411-ad83-4cf6-a5f6-905f0f3f52e8	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829746.67aa4432-87f8-463e-b422-f6679add9971.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1435a377-bbaf-4c9c-8706-0811a779fa3f.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\7278f154-e8f4-4235-84c5-c5c1c6af0084	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\45e26519-596d-41a5-b290-e547b44111fd	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a5d6ec76-765c-4778-afd2-1e05a1554d8e	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\background-update.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.81ddb4cc-1d49-45f2-961f-e24ea6db2be5.health.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\808127e8-e7ed-4078-b3f3-7f09061a011f.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\05d02ac8-b2f1-4670-8541-db8ec2bbf427	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\7d12ac42-15c3-4db9-abfe-259bc8d249ac.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857869.95af30ae-acac-4802-b983-233d7fd3cf34.main.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\events.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\session-state.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834580.6fc53411-ad83-4cf6-a5f6-905f0f3f52e8.health.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\15f01145-7764-450b-9ad5-323693350a9c.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857860.a73949a2-5a70-4025-8008-88156c16bb4a.event.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\3a40aaf9-3f8b-43a2-85e8-88e3ffc7666f	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\1d5599c8-3f43-42cc-8163-9a43c60a06d1.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\12f997af-c065-4562-b9f6-11000bb95c9b.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834620.c7889da7-33f0-4599-8452-58d47c58437b.main.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333829737.9f7a5e7a-2be0-4ff7-b132-b1f6e59a8e58.event.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333857833.45e26519-596d-41a5-b290-e547b44111fd.health.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834608.65054280-9d54-477d-a3ea-afcb1f88e001.health.jsonlz4.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\277ffbb3-8e94-4f3f-acac-7a401d130160	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\a7174184-f177-48c4-876a-8a51c2ed8fbc.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\78267ebf-1fb3-4b11-82e9-903e54a2a54e.jC7CNxlVt	Jump to behavior
Source: C:\Users\user\Desktop\Document.doc.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\1696333834606.011115ff-9301-40fc-805e-ba07b7fdfce4.event.jsonlz4	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	112 Process Injection	111 Masquerading	1 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	1 Proxy	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	112 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Indicator Removal	LSA Secrets	122 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document.doc.scr.exe	87%	ReversingLabs	Win32.Ransomware.Lockbit
Document.doc.scr.exe	86%	Virustotal		Browse
Document.doc.scr.exe	100%	Avira	BDS/ZeroAccess.Gen7
Document.doc.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://otelrules.svc.static.microsoft	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://my.microsoftpersonalcontent.com	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://www.amazon.co.uk/	0%	URL Reputation	safe
https://www.amazon.co.uk/	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://wus2.pagecontentsync.	0%	URL Reputation	safe
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionug	0%	Avira URL Cloud	safe
https://d.docs.live.net	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	100%	Avira URL Cloud	malware
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionJK	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion.Jr=	0%	Avira URL Cloud	safe
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionlWJ	0%	Avira URL Cloud	safe
https://www.bbc.co.uk/	0%	Virustotal		Browse
https://d.docs.live.net	0%	Virustotal		Browse
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	13%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://shell.suite.office.com:1443	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://autodiscover-s.outlook.com/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://useraudit.o365auditrealtimeingestion.manage.office.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://firefox.settings.services.mozilla.com/v1/	Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/connectors	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://cdn.entity.	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://rpsticket.partnerservices.getmicrosoftkey.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.leboncoin.fr/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://api.aadrm.com/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.yammer.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://api.microsoftstream.com/api/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.msn.com	Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr	false		high
https://cr.office.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://messagebroker.mobile.m365.svc.cloud.microsoft	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
http://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionug	Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://edge.skype.com/registrar/prod	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tasks.office.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://officeci.azurewebsites.net/api/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://store.office.cn/addinstemplate	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion	Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://edge.skype.com/rps	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://messaging.engagement.office.com/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.amazon.com/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://web.microsoftstream.com/video/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://MD8.mozilla.org/1/m	Document.doc.scr.exe, 00000000.00000003.1646091627.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bugzilla.mo	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://d.docs.live.net	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://safelinks.protection.outlook.com/api/GetPolicy	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://ncus.contentsync.	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/	Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
http://weather.service.msn.com/data.aspx	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.iqiyi.com/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://pushchannel.1drv.ms	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://wus2.contentsync.	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://api.addins.omex.office.net/api/addins/search	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://clients.config.office.net/user/v1.0/android/policies	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://entitlement.diagnostics.office.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.tsn.ca	Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://outlook.office.com/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://account.bellmedia.c	3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	Document.doc.scr.exe, 00000000.00000003.1877029171.0000000001526000.00000004.00000020.00020000.00000000.sdmp, 3870112724rsegmnoittet-es.sqlite.jC7CNxlVt.0.dr, 80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.zhihu.com/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://graph.windows.net/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://devnull.onenote.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://messaging.office.com/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://skyapi.live.net/Activity/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.co.uk/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://messaging.action.office.com/setcampaignaction	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://visio.uservoice.com/forums/368202-visio-on-devices	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes	Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	false		high
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionJK	Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://staging.cortana.ai	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/embed?	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://augloop.office.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://www.wykop.pl/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.olx.pl/	Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014DF000.00000004.00000020.00020000.00000000.sdmp, Document.doc.scr.exe, 00000000.00000003.1645091771.00000000014D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.diagnosticssdf.office.com/v2/file	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://officepyservice.office.net/	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion.Jr=	Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
https://api.diagnostics.office.com	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionlWJ	Document.doc.scr.exe, 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/Kinto/kinto-attachment/	Document.doc.scr.exe, 00000000.00000003.1878035842.0000000001522000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.office.de/addinstemplate	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Document.doc.scr.exe, 00000000.00000003.1641926636.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wus2.pagecontentsync.	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/datasets	80E5AD7B-B7F0-4875-BF29-ED264BCAFC67.8.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432010
Start date and time:	2024-04-26 09:15:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document.doc.scr.exe
Detection:	MAL
Classification:	mal100.rans.phis.spyw.evad.winEXE@9/1664@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, printfilterpipelinesvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.109.8.36, 52.113.194.132, 23.213.224.106, 52.182.143.214
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-cus-buff-azsc-000.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, cus-azsc-000.roaming.officeapps.live.com, fe3cr.delivery.mp.microsoft.com, us1.roaming1.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, onedscolprdcus19.centralus.cloudapp.azure.com, ecs.office.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:16:28	API Interceptor	97x Sleep call for process: splwow64.exe modified

Process:	C:\Users\user\Desktop\Document.doc.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	129
Entropy (8bit):	6.5285554530473515
Encrypted:	false
SSDEEP:	3:DvKOnan8bIswbr/dvGQ1Im/MPLSyJVzE7+col:+IanmIP1hKmyJtjl
MD5:	A09443444F33169624379B9D51FC6488
SHA1:	D29BDEC3E34278C4A36C5B8DC9AEDF6A92C8F160
SHA-256:	32F15D73E7781E8D68CBD4D3DF1BA445FFC8A693AADE300CEA98EF942BA404FC
SHA-512:	0C990D2EABBC202BCEB363259F2BE2B68CA51C9784D48C330677E5ABC1DDBC3F44CC1F946E1771845AEC0380080BEF8B249C7B0A8A997C229F29808166012836
Malicious:	false
Reputation:	low
Preview:	P.t..Hp.y.U.H...J....8..=..\|^.F..O..D.K.......Jv.o......U6.1..,`D...~.Y/.Pe.'-.1i....`Se.....8....*....I.^.r...$..!..9...

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	166208
Entropy (8bit):	5.340926777317099
Encrypted:	false
SSDEEP:	1536:S+C7FPgOsB3U9guwwJQ9DQA+zqzhQik4F77nXmvYd8XRTEwreOR6Y:vIQ9DQA+zqzMXeMT
MD5:	7CAE8EED86B6E10D94DE810168EC7B93
SHA1:	A45E10B8FA0E797D6C8231278439AF491835F066
SHA-256:	3E14ABE9A26B545CF1FA0A34BC37A1969E651AE293A83CF7056D5C2E9036439D
SHA-512:	B563E4A5B5E767E48BFAF11B0C6F86788429969D9DDC1AD23CB274B5180F575672BE71B0FA4A66EBD36D9A8EE7D3E3731BA48E8E65CFD024FB15AC392C00D0FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-04-26T07:16:42">.. Build: 16.0.17619.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

Process:	C:\ProgramData\D448.tmp
File Type:	data
Category:	dropped
Size (bytes):	199168
Entropy (8bit):	7.997206186701459
Encrypted:	true
SSDEEP:	3072:YFnNTZknQJKICz3JDlAhD1pasZFnNTZknQJKICz3JDlAhD1pasZFnNTZknQJKICo:YlfkaKJ50mylfkaKJ50mylfkaKJ50myl
MD5:	C5926FE8EBDF01BB456FE640C1EB3364
SHA1:	669009FBF8A30AE2D8FE4373FB35098F3D137F4D
SHA-256:	E5A1A8B017A700A350EC9B30D4F86748B08FE5C1DF4FB13C3B7EC5BC99E1E7D7
SHA-512:	372E8720D82B76DFEC41080BE51F60BF19575958526006974D6DE3C7A7B87C0744E756C837AB7AE43005845150BC3B752497193BE7A7CC8C04B47794F9A69DDA
Malicious:	true
Preview:	U.F..5).....C..!...#.T.%0v..wl}.....J/Zs..a?..."....ui<....M...^...%..7.-T...p{..7_x.(].....QX..B.8....,'..z0.....l0.+.....Q......."....;.M.RZ.)..v...sMV"C.1A.N=...K.:o[.].....\x......#.G.=....0L.f..."4.,.9.....l.eHb.=#3.S.....(.m....s...Q...{n....H..<..O..E\......<.yE[CTQ..7QlA.j.].KX...5Y......8?\.H....".]..m.]e.@.....\...LC.S._...Z...>.....U.....}......vs.JYGM....._.rNw..E......Ju.~.O..]Y..dm..O....\|..Y..Xa.z.e...6J...i...)...a..............B?9..o.......4.........'..\|...&.^~....`.+.t0..J........Bo...s8....K]Yu3b.!b.'.".a.t..J.. /hk.J......J.q...h`SXZ]...(.......U-.9...$.0...(..b..~......v..D.2z....X.w"}..w...v.Y.0..r.. .....3.....".t...T...>....G......._.@..!....R.......i.....u..F..cC.I...[....$8...;...4......,....N*.f..P.S..o....u........C.....,.v.v.....t.Xa.m{..4..\|....j.xVk..{...@..5..."........V....w.._Y\|A\..J...o.....g....y.z.r..$...y.J.sY...+`.\|.B];).:...;..q......7.....U)..S.K...K.)PoIj....M...:C....s....T..=..8.R3..X

Process:	C:\Windows\splwow64.exe
File Type:	Microsoft OOXML
Category:	dropped
Size (bytes):	13754285
Entropy (8bit):	7.893000182545878
Encrypted:	false
SSDEEP:	196608:fRmySp2JVWzk7Q7LBIUEqiodDe+xjCmcn6EZLnxdG7XzAkbY0TSeInzeEtuirF6n:f8eb697bEOQaFZaJBM
MD5:	FB2A084C7827E647DAF064975DEC4F3D
SHA1:	FE5CDE6BE4052D0CA8F6D453C078F90013770743
SHA-256:	BBCD9BAC8276AFDAB4C48B2D59079C1789563FB372A6BA877F3CF1001541EAF1
SHA-512:	B0B581C7FA8286091867CA30423E0334850C62F68E6472607C0FA2B69CC5BB2A2536CBC5C947749F951022D4ABE27AB31D8020989E8D5674BAB405DC26DB7E4E
Malicious:	false
Preview:	PK.........K.X................[Content_Types].xml/[0].piece.....0..W..o.x .....e.(....Ql!..<...S^.MMw....#Nr.9....p..:..J.z..`3..DM....T.n..J..-c...3....&a#......PK....X.j...q...PK.........K.X................[Content_Types].xml/[1].piece..1..0....eE$....{e.C.&..X.........H\., .....o.T..i.."...K.s..4..VW...i+.Ak.....}....\.+..O?PK..K..jb...l...PK.........K.X................_rels/.rels/[0].pieceM.A..!.E.B.w...1.....9@...C!...?,].......f..4.qp.,.._^I...y?\`.....Cc.jF". .^...#g.T.A.e.c.........3.....PK...BpJl...y...PK.........K.X................_rels/.rels/[1].piece..K..0....9@&.....nk/.....O3S...s....L/'.UN...'.......P....UO:....=X......B..gD...c]...[..[..3..9.9a.... .....N.PK..4...u.......PK.........K.X................[Content_Types].xml/[2].piece-.A.. .F....p.u.q.&....!...m..[.n_^..kA.......>\|.......f....`........}..F..(v.6.t...0-.n.C\|@.N-.Z...PK....[Pm...{...PK.........K.X............%...FixedDocumentSequence.fdseq/[0].pieceU.M..0.F..fo&.....H.`..2.....H.o..p

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	4.186704345910024
Encrypted:	false
SSDEEP:	3:otlXoov:ot+ov
MD5:	A590DA831909370329BCD170F3428AB3
SHA1:	9008557084249ED914B5D5BFFA325CDE05E07D83
SHA-256:	ABB634AB5497D4FBC4AC0ECDC8980373E99212FDDFBE36DA8151C60F66CC0C66
SHA-512:	E77EF75DED079BC46D61B680B9FF68E7BC158B5A39C6BC27FDAB550D379424E571D0357ED0608A750BD25E39F5C3FA7AB6EA5128E5CF0B73FC5EAC889D180973
Malicious:	false
Preview:	C:\PROGRA~3\D448.tmp..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.773638151073258
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Document.doc.scr.exe
File size:	199'168 bytes
MD5:	407ea767aa26ae13f9ff20d0999c8dda
SHA1:	07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256:	f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
SHA512:	6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
SSDEEP:	3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx
TLSH:	AC145B20F251A8B3C42724F52A32E571739A9F2D1D6C180FEAB53F0A6CB65D32B15D4B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..c............................o.............@..........................P.......f....@...........@....................

Entrypoint:	0x41946f
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x631A9665 [Fri Sep 9 01:27:01 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	41fb8cb2943df6de998b35a9d28668e8

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1a230	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0xc160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x34000	0xfd0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1a120	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a000	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17de8	0x17e00	cfbda2c44e51b3b0b00bcbbc767c62a2	False	0.48375122709424084	data	6.634079266913224	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x19000	0x546	0x600	6f4cd57381bb5584c0a0755384d25180	False	0.251953125	data	2.9337361310958805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a000	0x492	0x600	bd829aa493ecd52fe5bec776d207f206	False	0.3671875	data	3.5366359784052652	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0xadc8	0xa000	946dc0ed16a69bcd5d8b2e54d7816d73	False	0.9826416015625	SysEx File -	7.9882343419366055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x26000	0x88f	0xa00	01e60c1569b6b7196ce1bbe9507a1fcf	False	0.88046875	data	7.326988333068622	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x27000	0xc160	0xc200	0498258b0cc68156e1295f5d17bb63e6	False	0.22473018685567012	data	4.478609900548174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x34000	0xfd0	0x1000	3f87e4c23650dfad0bee7da98889ba94	False	0.843505859375	GLS_BINARY_LSB_FIRST	6.738987246879603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x271f0	0x176d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9296314824078706
RT_ICON	0x28960	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	0.0973665564478035
RT_ICON	0x2cb88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.13340248962655601
RT_ICON	0x2f130	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	0.16715976331360946
RT_ICON	0x30b98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.20309568480300189
RT_ICON	0x31c40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.2721311475409836
RT_ICON	0x325c8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	0.34244186046511627
RT_ICON	0x32c80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.41932624113475175
RT_GROUP_ICON	0x330e8	0x76	data	0.7457627118644068

DLL	Import
gdi32.dll	SetPixel, SetDCBrushColor, SelectPalette, GetTextColor, GetDeviceCaps, CreateSolidBrush
USER32.dll	DefWindowProcW, CreateMenu, EndDialog, GetDlgItem, GetKeyNameTextW, GetMessageW, GetWindowTextW, IsDlgButtonChecked, LoadImageW, LoadMenuW, DialogBoxParamW
KERNEL32.dll	SetLastError, LoadLibraryW, GetTickCount, GetLastError, GetCommandLineW, GetCommandLineA, FreeLibrary

Target ID:	0
Start time:	09:15:50
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\Document.doc.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document.doc.scr.exe"
Imagebase:	0xbe0000
File size:	199'168 bytes
MD5 hash:	407EA767AA26AE13F9FF20D0999C8DDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000002.2100861125.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000003.2091177762.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Ransomware_Lockbit_369e1e94, Description: unknown, Source: 00000000.00000000.1618448431.0000000000BE1000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_LockBit_ransomware, Description: Yara detected LockBit ransomware, Source: 00000000.00000002.2101878302.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	09:16:38
Start date:	26/04/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	/insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{E6830A1B-81EB-4C98-A5C6-BA0FB0C332A2}.xps" 133585893886890000
Imagebase:	0xd20000
File size:	2'191'768 bytes
MD5 hash:	0061760D72416BCF5F2D9FA6564F0BEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	10
Start time:	09:16:39
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D448.tmp >> NUL
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1983
Total number of Limit Nodes:	12

Execution Coverage:	32.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	160
Total number of Limit Nodes:	1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document.doc.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\AAAAAAAAAAA (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\BBBBBBBBBBB (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\CCCCCCCCCCC (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\DDDDDDDDDDD (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\EEEEEEEEEEE (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\FFFFFFFFFFF (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\GGGGGGGGGGG (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\HHHHHHHHHHH (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\IIIIIIIIIII (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\JJJJJJJJJJJ (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\KKKKKKKKKKK (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\LLLLLLLLLLL (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\MMMMMMMMMMM (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\NNNNNNNNNNN (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\OOOOOOOOOOO (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\PPPPPPPPPPP (copy)

C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1000\QQQQQQQQQQQ (copy)

Windows Analysis Report
Document.doc.scr.exe

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre