Malware Analysis Report

2024-10-18 21:59

Sample ID 241012-22p9cszhqk
Target 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c.zip
SHA256 c4a53b32522a07a31d23ee634fc468979901aff9089773dca021fc10c2443d17
Tags
ordinypt defense_evasion discovery execution impact ransomware spyware stealer trojan wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a53b32522a07a31d23ee634fc468979901aff9089773dca021fc10c2443d17

Threat Level: Known bad

The file 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c.zip was found to be: Known bad.

Malicious Activity Summary

ordinypt defense_evasion discovery execution impact ransomware spyware stealer trojan wiper

Ordinypt

Renames multiple (210) files with added filename extension

Deletes shadow copies

Renames multiple (154) files with added filename extension

Drops file in Drivers directory

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 23:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 23:04

Reported

2024-10-12 23:07

Platform

win7-20241010-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

Signatures

Ordinypt

wiper trojan ordinypt

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (210) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremium\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\Professional\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\ja\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterN\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WCN\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\config\TxR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\sysprep\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumN\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{522f6bf6-ae20-0f66-d982-a746d010852a}\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\StarterN\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Setup\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_neutral_269d7150439b3372\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmbus.inf_amd64_neutral_fca91999602b0343\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\pt-PT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\hr-HR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbr008.inf_amd64_neutral_2cedaac353c381da\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\Microsoft-Windows-TerminalServices-LicenseServer\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_neutral_de46607a02fe2552\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_neutral_413d17c790177eef\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\ProfessionalN\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\migration\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\tr-TR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasic\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\IME\imekr8\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateN\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\oobe\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\gameport.inf_amd64_neutral_fe5c4f29488f121e\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wialx002.inf_amd64_neutral_71f4aacee1aa9f06\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0014\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\wdi\perftrack\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmrock3.inf_amd64_neutral_9fdc5d710dd63e80\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\Amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 796 set thread context of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ms\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ach\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kk\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows NT\TableTextService\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jre7\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Media Player\Skins\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Defender\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lo\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sm\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\x86_microsoft-windows-m..-comm-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6009136d7657cd10\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..ntrol-rll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b2cb9d2c5d9d2b4a\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..topeerdrt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_81aff0275b7ad50e\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_da-dk_6ae6a5381ea8bcbd\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..etwork-setup-wizard_31bf3856ad364e35_6.1.7600.16385_none_f0d21d0b5e184994\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..linetools.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4716f255d1356b34\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0001040a_31bf3856ad364e35_6.1.7600.16385_none_fb9eb29b62cab6ba\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf7bcd2342ef18a6\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f869ac74355a4089\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ncdprop.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e304986fb13fdd5f\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_mmcss.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac422d1943ed658d\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\msil_windowsbase.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ed9bac8806f1bb69\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\diagnostics\system\AERO\de-DE\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-mail.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4c6100dd61ad9bb4\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..-nlsbuild.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0154449b64f19514\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.1.7600.16385_none_c4d1464ab88fbcb4\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-k..container.resources_31bf3856ad364e35_6.1.7600.16385_es-es_10e1f56e4f11e05a\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_8.0.7600.16385_none_1622b3b244141a27\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_dfa8ee1b36702ec1\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..ccore-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2f88882b2c833070\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-dsquery.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b303fd2d820a2fbb\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehui_31bf3856ad364e35_6.1.7601.17514_none_2cea21bae0074c77\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sysdm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_64e0a786041ca5ac\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_prnky006.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_06af1ecd656544df\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..ehprivjob.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f2d8dcb146b08b94\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_netfx35linq-microso..data_entity_targets_31bf3856ad364e35_6.1.7600.16385_none_f3e6c10b5647cbba\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c077ffac1da853b\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-snmp-mgmt-api_31bf3856ad364e35_6.1.7600.16385_none_51d5fb6b0198fa85\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-extrac32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_67144e9e0af59827\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-notepad.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a8ab11efa5f12597\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b1a6138fec8fb6f7\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_prnky002.inf_31bf3856ad364e35_6.1.7600.16385_none_3cc36728d422ea26\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..in-gpedit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0504d2ca6babb08b\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection\v4.0_4.0.0.0__b03f5f7f11d50a3a\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_amdsbs.inf_31bf3856ad364e35_6.1.7600.16385_none_c192282a2ed13c70\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7601.17514_it-it_f013c42f0b363ca0\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wlangpui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_75b8a5c3d25e2a01\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_el-gr_b9fb996b84d6f085\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Workflow.Act#\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-scheduleui_31bf3856ad364e35_6.1.7600.16385_none_d0b7a7aa2b6c0a20\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-uianimation.resources_31bf3856ad364e35_7.1.7601.16492_de-de_7dd5704a8e1cca76\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bc8c2f4dd77ad5d\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_1f49ce93103c3e39\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Data.Linq.resources\3.5.0.0_ja_b77a5c561934e089\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a7ddb2029817a18e\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_mshdc.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6cea22eb1a111728\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_sffdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ce145d7ce4892e4d\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\msil_system.configuration.install.resources_b03f5f7f11d50a3a_6.1.7600.16385_es-es_0eaa7658e6a53f9e\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Data.Linq\3.5.0.0__b77a5c561934e089\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_495753eb7606934c\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\msil_datasvcutil.resources_b77a5c561934e089_6.1.7601.17514_de-de_2d11f7b0be7b688b\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\msil_system.data.services.design.resources_b77a5c561934e089_6.1.7601.17514_ja-jp_c2cd124fbd8fe089\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_573fbf08fcf78292\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e09c57750c431b94\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..mentation-migration_31bf3856ad364e35_11.2.9600.16428_none_9169fdbd15286489\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..trolpanel.resources_31bf3856ad364e35_8.0.7601.17514_es-es_9b364ee275f49771\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-npfs_31bf3856ad364e35_6.1.7600.16385_none_02667684369c39b6\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\dqn8v_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B909CD21-88EE-11EF-B232-FE373C151053} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 796 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 1636 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1636 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1636 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1636 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2108 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2108 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2108 wrote to memory of 1520 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1872 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1872 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1872 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1872 wrote to memory of 2164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\dqn8v_Entschluesselungs_Anleitung.html

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 expandingdelegation.top udp

Files

memory/796-0-0x0000000001E10000-0x0000000001E43000-memory.dmp

memory/796-1-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/796-2-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/796-3-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/796-4-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/796-5-0x0000000001E10000-0x0000000001E43000-memory.dmp

memory/796-6-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1636-7-0x0000000000230000-0x0000000000231000-memory.dmp

memory/796-14-0x0000000001E10000-0x0000000001E43000-memory.dmp

C:\$Recycle.Bin\dqn8v_Entschluesselungs_Anleitung.html

MD5 039d2aff1e39a3c64f2b257b446b7312
SHA1 071fe40291476beeb80ce1c486ec16d101d80a3e
SHA256 66d5e3db79764fd38aa979e1b83803564079491166d90dd6bafa2e63a101878a
SHA512 e7a344fe637cbd60a8de4b9e997b4d90859a2bc94040c4c8777e8048e1a5e8cc24414cd3f72d9b7920d8749e450bcffd758d826b02e24fe4751dc71509997917

memory/1636-809-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-811-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1636-1645-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-2978-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-4029-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-5539-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-6767-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-7739-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-7740-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-7741-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-7743-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1636-7744-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\Desktop\dqn8v_Entschluesselungs_Anleitung.html

MD5 68c06f104e7aa960ae7743d425e29835
SHA1 f870229ff9044fb36e309e2fe6607f97cc8a2792
SHA256 80bd45d55f1838b8f55aad972872ae5b98c3d14ec26b50c7a5ff0dd5c87c2ebf
SHA512 d8add0ab00c3c9719531d6716eff9865d60750a15b2965054126961269d2d0aa22c0952b82fcb31f5141cbea3b2f00990ec04fb8e8805d425c053d609547a3e4

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\dqn8v_Entschluesselungs_Anleitung.html

MD5 715fee6a82c9cd1800b53a56c5fe708c
SHA1 64e5bd15955edf8e206854711a52d51d53189f4a
SHA256 0fb7f641200d841330dd15150d617ee0f1eb88cc0bdacfefb88da6840ae4432e
SHA512 a7af77bbac8e745286c2d4bdf3304c23cf65f9714dde96910cbeb0ba4b3c54bfcc37f3e7ca9e7eaae3a036e3a967539be03a3d5a71548c5e2c593022c1acc442

memory/1636-7760-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar6A99.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab6A98.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8fc473578ce802ffe5d16d23210b479
SHA1 f674c58a06aa8843e384c6a2f071cc9eb1224db8
SHA256 73d361f2527a1aca332ff8c386dd0af6de4cbe7bccdf3b019c76f97edf3d9032
SHA512 ff44261327616c6a930aaa707e7a58750b2cc3d52ae4506589e14c911548ebebe9cc0b6e664f91a402acde91bcf859305bf90847782e407242da43b151288d62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e4c8f6df96ea747faaf1c39d1d5b9a8
SHA1 9e38735a23e5c3a90eea0395c65b6a698fe32fbc
SHA256 8c4ecade441979e6cc4a92f2d9e34aa1ef557c7f8002615e3fac73f8c568ce5d
SHA512 6e2062a957a7f0b934b25975365d310f46b7a98a357c079bf272f2d6dba700fd1baf4e6b96e07f61d6ca16cf285042cfff9cb4926e67f710da55ab5e2666204a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02c349dbb577bdf7822fa67de5af4961
SHA1 a95f420cef4ed51401d7fbb16bc72e22cb3f01a8
SHA256 2cfd07990b1441f1177e2c867ca1ec2e8c227050e6e4b5051452ec9d4a6392a4
SHA512 5d91bb7ff9840b5a0146b1a837aea671af70423e5065736ffce0f582e4a8b3e662d0b2fd3bbed4e039edb9afb6cd2dd3d0698c6ded6ab8b0e8462a7100fb7220

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 285d84f8a51fd6a7dc19170abb79d254
SHA1 84b4bdb5c1d961e3c2a2e38037ed1984041b4dd8
SHA256 160c0f31f87a823a638707dd3bc59be40ac937f9d80902d605ad341e4f90dc11
SHA512 4ea893a18851d8002ba9b1786adc2373d8a0cc3aa5b41727bc4be4ff5067a83ca520b55ecd02dbcf6bf1e0929b6a0d2fd4779589efe279df796f1e134da3d33d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ce78da4e048939fdf21ff72fe63f068
SHA1 4dd5b16571a8f85aa49c7dde373a878d0991ce55
SHA256 fe80866efcdd2b075b8d563997e1df42a79863d5261b3fbfebbad78c41e7d27e
SHA512 c8b44fff2c740b5cf88d0b92cad7b5fb10dee72caef13aea7d32e3139f8eacfee334a3e4834599ee3b1b3b861663024603e65c5ebb5975f0a2a1097acb29062b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0525b64bf57f94c7ac3806c2826911d2
SHA1 6e5ed5e97cf4fbc5d12d901aa9c61c3e65c57a91
SHA256 2d73a51bca37aba17cf3a3bacce696bd88b9bb74ac062d82e4cd76f78d37a529
SHA512 7b49f9ea3a8f8a1bda42d0f13882c2f07068fbfe0efd6b1523acb5a9c4705a87a66abe4a028c8cb79b0941ee0b0d999578f6f0ad1b7f2681e80fc54ebb80f77d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 422b6fd5c144b1ffc9a8e8504ebaabc1
SHA1 968c1d28879071918123d994218a31869bf08f45
SHA256 8df4a8c7f2d552fb1525a8f4a82846998c276683fa2a762f751ecea65cdb8cdc
SHA512 3ebc0a4d57a806b803bdfd807eba2f3e4f88ba0ce707d26a27443bb286c3adfb9ce73e3f3166e6cff28a3de89875f7d3b38fb35561a4d8c764b75e0fb4b88d79

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2328a91a9cd49e276cb89ba8e6376b38
SHA1 f6e5ef023922fdc91c42924643b0e6d844fab69c
SHA256 c29b78fe552fb334ec8ae55c7464728ceec171025592a92a6ae713f62a77b253
SHA512 1b074a79a4e3dc1668d3389a8e0a1d1de426cc0afcbc938c8db16cc5fbe88f0d9863830b2cf985b574d84f1eb51429d99a68b0f65dbef8232162eb9b2c37d6b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c16e168fdac17dde1fefa3ceb3eb87b
SHA1 4a82dd11cbd2dcdd1d841c16d49080cc45337095
SHA256 66413a2e692aa34dccbc588690c2c861921f6f3bb85766e3b9387509e4f97195
SHA512 b2ea8a5f0ff0616c4792340e3fe7ed43b31350b3f2e166298a735494f7e15c88f574fbdcc63bf5fae61fae2744c1ca9f18bcca72b7475ca73e2d23133fd410b6

memory/1636-8208-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 23:04

Reported

2024-10-12 23:07

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

Signatures

Ordinypt

wiper trojan ordinypt

Renames multiple (154) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\en-US\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\prnms006.inf_amd64_c3bdcb6fc975b614\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmic_guestinterface.inf_amd64_192114845ec44b66\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\it-IT\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\es-ES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mbtr8897w81x64.inf_amd64_0d8225e7d2696ece\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\scmvolume.inf_amd64_6957cfb7d6fea5c7\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0003\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\000b\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Com\ja-JP\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_ce438b6e0c5b1af2\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrsp.inf_amd64_4c83ce3a06d0048e\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\uk-UA\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Configuration\Registration\MSFT_FileDirectoryConfiguration\de-DE\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmgid.inf_amd64_3a0240393de08f95\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_diskdrive.inf_amd64_1debcd2bd95e9c0c\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_b74e18ebf47de72a\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\tmf\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\fr-FR\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\DiagSvcs\ja-JP\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_cashdrawer.inf_amd64_a648ee708660440c\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\SMI\Store\Machine\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\es\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_e4cbe375963a69e9\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\es-ES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WCN\fr-FR\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_floppydisk.inf_amd64_bc7bd9dca28933ec\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_f35131186d3026aa\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\001a\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnttp.inf_amd64_527c415254a7e378\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\slmgr\0411\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\audioendpoint.inf_amd64_4fc4a632c1490033\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcpv.inf_amd64_906547002cc7c58e\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_19eb30e94285f2a6\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Com\es-ES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Bthprops\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\ja-JP\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech_OneCore\Engines\TTS\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\Logs\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\it\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ServiceSet\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_firmware.inf_amd64_36e4e17f210128ab\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\CimCmdlets\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicyUsers\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\config\RegBack\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2276 set thread context of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Utilities\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Google\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ach\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\Java\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\node_modules\reactxp-experimental-navigation\NavigationExperimental\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..randprintui-printui_31bf3856ad364e35_10.0.19041.1237_none_50f80c4a292ea581\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1_ar-sa_99d28305f49e925e\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-msxml30_31bf3856ad364e35_10.0.19041.844_none_70ba370b2a07f375\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-virtualcameramanager_31bf3856ad364e35_10.0.19041.746_none_df0740eb95df8fad\f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..ironment-dvd-efisys_31bf3856ad364e35_10.0.19041.264_none_4082885e41be161c\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ests-onecoreuap-net_31bf3856ad364e35_10.0.19041.1_none_2938604e0119c52e\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..rtcards-phone-winrt_31bf3856ad364e35_10.0.19041.746_none_4a4c1a043950275c\f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-resourcemanager-client_31bf3856ad364e35_10.0.19041.746_none_5cca29da5efd6883\r\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-filetrackerui_dll_ln_b03f5f7f11d50a3a_4.0.15805.0_none_fe69e989bde97a71\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\diagnostics\system\Apps\fr-FR\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-e..rformancemonitoring_31bf3856ad364e35_10.0.19041.1_none_677a60dc537bd64a\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wininit-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_a67b3517b58e441a\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-virtualdiskapilibrary_31bf3856ad364e35_10.0.19041.1266_none_6c7d1e21f203fb8f\f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..rprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_bd12916a82295478\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p...appxmain.resources_31bf3856ad364e35_10.0.19041.964_en-us_f337cf878e4da36d\r\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.dtc.power..l.scripts.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c547c9c9570907db\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-rasman_31bf3856ad364e35_10.0.19041.1081_none_ebd8da483974189f\r\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-settingsync_31bf3856ad364e35_10.0.19041.1_none_51607663cdf347a7\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-actionqueue.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fae0a0b9eaafe4be\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..erexperience-common_31bf3856ad364e35_10.0.19041.1_none_44c920eaf5f2c5df\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_smdiagnostics.resources_b77a5c561934e089_4.0.15805.0_es-es_d0121f246da0cedb\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3fe90cdb6667211e\f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_windows-gaming-ui-gamebar-component_31bf3856ad364e35_10.0.19041.746_none_be75e3e54abda527\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wlangpclient.resources_31bf3856ad364e35_10.0.19041.1_it-it_19ded556c8f3d6c9\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-i..nese_nec98_usb_only_31bf3856ad364e35_10.0.19041.1_none_9b8755a98da50082\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-fsutil.resources_31bf3856ad364e35_10.0.19041.1_en-us_1f1aced26e36b255\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-msmq-bpa.resources_31bf3856ad364e35_10.0.19041.1_de-de_9af7b1b078108d85\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sctasks.resources_31bf3856ad364e35_10.0.19041.1_de-de_30185e5ef962b94d\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-tm_31bf3856ad364e35_10.0.19041.1202_none_c1d5764939090b5e\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-v..model-tilemigration_31bf3856ad364e35_10.0.19041.1288_none_f5c70e1effc3c18f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1288_none_4c54bd1d56ecfd46\f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_10.0.19041.1_ja-jp_06d1957789ffc9fd\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-webauthn_31bf3856ad364e35_10.0.19041.1_none_bf6b3cc9bf82a75d\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_ialpss2i_i2c_bxt_p.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_2728a1282da563c7\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_10.0.19041.1_en-us_6f53611a3c9fe9e8\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-vaultcmd.resources_31bf3856ad364e35_10.0.19041.1_de-de_d9913fc26aa1dc0c\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..itybroker.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9c43487e336176e3\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.windows.winhttpcom_31bf3856ad364e35_5.1.19041.1_none_2583f6d83be26175\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_whvcrash.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_6500266b3dff5e21\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.processmitigations.commands_31bf3856ad364e35_10.0.19041.1_none_029d77ef50910bdd\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_de_31bf3856ad364e35\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_109d77f83071f838\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_8eade99277d99f5d\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-waasmedic.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_c088f2ee495d2d00\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-webservices.resources_31bf3856ad364e35_10.0.19041.1_es-es_c4738a0a15c46625\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-activationclient_31bf3856ad364e35_10.0.19041.1_none_b0a7a8cc2a443b3f\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mpr-extension_31bf3856ad364e35_10.0.19041.1_none_5d0cb97cc8af9b89\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\080a\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\r\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..eyboard-korean_101c_31bf3856ad364e35_10.0.19041.1_none_3bb77c0fb9fb1a5e\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-raw-image-codec_31bf3856ad364e35_10.0.19041.746_none_5de782925eeebf9c\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_10.0.19041.1_en-us_4299559dcbb02d80\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_users_b03f5f7f11d50a3a_10.0.19041.1_none_aaf2db146a6dad91\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-w..ileserver.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_90dd6d7e93f3800d\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_windows-applicationmodel-datasharingsvc_31bf3856ad364e35_10.0.19041.1_none_963ba0972837b459\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-s..formers-shell-extra_31bf3856ad364e35_10.0.19041.262_none_6bcfd17023af3f25\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_dual_wvmbushid.inf_31bf3856ad364e35_10.0.19041.1_none_02d9a8dfa89062ce\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-bluetooth-userapis_31bf3856ad364e35_10.0.19041.546_none_49ae6b3d1ee49f98\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..ation-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_6fefc2ec1fba1026\cbBbW_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2276 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2276 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2276 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 3552 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3552 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 4296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 4296 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3552 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 396 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3192 wrote to memory of 2900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\cbBbW_Entschluesselungs_Anleitung.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9d97c46f8,0x7ff9d97c4708,0x7ff9d97c4718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12348383609083617245,16616896535550618584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 expandingdelegation.top udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 edge.microsoft.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp

Files

memory/2276-0-0x00000000023A0000-0x00000000023D3000-memory.dmp

memory/2276-1-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2276-2-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2276-3-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2276-5-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2276-4-0x00000000023A0000-0x00000000023D3000-memory.dmp

memory/2276-6-0x0000000002570000-0x0000000002571000-memory.dmp

memory/3552-7-0x0000000002150000-0x0000000002151000-memory.dmp

C:\$Recycle.Bin\cbBbW_Entschluesselungs_Anleitung.html

MD5 c015b287f3dbcc41ab8c329b1d6aa87e
SHA1 4baf624f8d2cb3b82330a7ffcd4d2194bf08536b
SHA256 170a03eaa7cbab025db047f3190d520e299713773816c6f54a4429999fa4f879
SHA512 240c583f5a9999e9e27fc7e74a67e3455a5aa3b9ab2e7aa825961fb079b3be367bd85917a159171c28c76862776a3edcb3ed33844ed2aadbbd6111293222cffb

memory/2276-18-0x00000000023A0000-0x00000000023D3000-memory.dmp

memory/3552-4022-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3552-4023-0x0000000002150000-0x0000000002151000-memory.dmp

memory/3552-8763-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3552-11526-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3552-11527-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 61cef8e38cd95bf003f5fdd1dc37dae1
SHA1 11f2f79ecb349344c143eea9a0fed41891a3467f
SHA256 ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA512 6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\cbBbW_Entschluesselungs_Anleitung.html

MD5 f8d6593a280ba9e17c3771f10d4648b2
SHA1 65d13c8449b249cd5ad8a9259e9bd4a8eabc04e9
SHA256 f155ccdf8ebef53c856c62dfd5cffcd380d66be3a036b8516824de38a5472b95
SHA512 65a514d129b6fe419860fa70fcda3559e143b6c963fe317235f55d6ccadf125823c93fc3991410e9f8919dce179a809d8211a1989980049ad350f5c4c8ac4e9f

\??\pipe\LOCAL\crashpad_3192_JEPYESDVERHZNVAG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0a9dc42e4013fc47438e96d24beb8eff
SHA1 806ab26d7eae031a58484188a7eb1adab06457fc
SHA256 58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512 868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

C:\Users\Admin\Desktop\cbBbW_Entschluesselungs_Anleitung.html

MD5 e01e5fa2ee6eb5c3278ddaf4db3361dc
SHA1 825ac2bb2c4775895e43a59a3e0fcd05addedf7e
SHA256 a0825cf1669cb55990b617c4c3ecbc70ddd2aca716c94be6ba8ccff6d96a7a52
SHA512 422c0178b3eba80c1e12df7b1ad4c95b61048a36b7d6861a0f6ec7f4275e83bdf5249cfd23206f542ab0a9203193b1548c2d969405ca952b20031e84a48219af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6064fc5744d8d701ed1e596fc0681d9e
SHA1 a07a04b769f72065cf07bc055cfbc5f373965ea7
SHA256 1431a9e801e42ec5198a7b38ea22516872250b81fba3cc888526336b02d1b355
SHA512 85844a3adc5ebdb55b7c88133ececce9226696ae1343942680cd6e71c6395ea1ab353b5bc73c6bef329d3b76c92742f922d1c5f8837b34e4a0e229b7707e3562

memory/3552-11568-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f73c4a7d5c9b5f237f3401a9ba7104e5
SHA1 d72701010a85b264178a746766a4bf49c0dfc831
SHA256 c58b73254a68f1adbe7a769b5b2d25f3791e16a24f24ee5186fd573745dfdc05
SHA512 7e2cd427b86c7a394a0aad2be178be6c42196eb63919b596f534f6a30b63cf15a296c2b112f6ad242190f0c68c767d853541c26cd9890dae58315d5f44ada721

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9e05d1e6b0f6322474d56f5b026c61cd
SHA1 fb5f2910c6ed864f572171aeb261e12be381c3f9
SHA256 09010d44b9f6cc2612f9783acb43294bd64e01a17864b83a9e2d5d5ee192f0c6
SHA512 6f47a385ff09d6d94acffd71202af0116664a7e10703c0d400a300e333c00ff58669f6447ba692fc955729d6b3ff849fa3808c780d16f6ea1d35afe40f4854db