Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
Bewerbung-Lena-Kretschmer.exe
Resource
win7-20241010-en
General
-
Target
Bewerbung-Lena-Kretschmer.exe
-
Size
908KB
-
MD5
36ccd442755d482900b57188ae3a89a7
-
SHA1
8cd96603cdd2637cf5469aba8ed2b149c35ef699
-
SHA256
41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c
-
SHA512
0fcfc29a042342ccbf2529ac116e79698314778459d9dad2ca947b3eab2a7dec3d3622ce351b95909f88791c6d57a9943174ee352f13db246c706c9df1f57e9a
-
SSDEEP
24576:jRi7/DwOpfmVEyMrUnla/PJJF3NagKGPHpZkxCcI1rC1yOh:NiXJpfmVEXgnlKj9aMICcorC1yOh
Malware Config
Signatures
-
Renames multiple (149) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 20 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process File created C:\Windows\SysWOW64\drivers\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\it-IT\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\UMDF\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\uk-UA\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\UMDF\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\es-ES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\drivers\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Bewerbung-Lena-Kretschmer.exe -
Drops startup file 2 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process File opened (read-only) \??\G: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\K: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\O: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\R: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\A: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\J: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\N: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\P: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\Q: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\T: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\B: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\I: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\L: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\S: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\W: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\Y: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\Z: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\E: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\M: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\U: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\V: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\X: Bewerbung-Lena-Kretschmer.exe File opened (read-only) \??\H: Bewerbung-Lena-Kretschmer.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_e47e06e16f2aad12\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_a6da30fe583368a4\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_605a5cafbbd86f6a\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\LogFiles\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_37bf8591584019e1\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\tpmvsc.inf_amd64_9b03a5f041e8d2b2\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\en-GB\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\de\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\es-ES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\Com\dmp\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\c_dot4print.inf_amd64_33c48c563d7541f7\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_2be0e52237040d42\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\Licenses\neutral\OEM\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\qd3x64.inf_amd64_fd7b06296b7ac679\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\en-US\Licenses\OEM\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\oobe\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\ja\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\es-ES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\wbem\it-IT\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\es-ES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\networklist\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\es-ES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\de\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\tr-TR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PnpDevice\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\InstallShield\setupdir\0416\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\ja\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\it-IT\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\winrm\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\mdmtron.inf_amd64_0b075e1cb11005f4\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\hidspi_km.inf_amd64_7e53b3972dc4df20\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\GroupPolicy\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\0409\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_641bf08bee8ac46d\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\de-DE\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\wbem\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\en-US\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0009\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\Configuration\PartialConfigurations\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\SysWOW64\Dism\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exedescription pid process target process PID 4540 set thread context of 4888 4540 Bewerbung-Lena-Kretschmer.exe Bewerbung-Lena-Kretschmer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Windows Multimedia Platform\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Common Files\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Common Files\System\ado\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe -
Drops file in Windows directory 64 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exedescription ioc process File created C:\Windows\WinSxS\amd64_microsoft-windows-mspaint.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_14da90092648ac37\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfcmediaprovider_31bf3856ad364e35_10.0.19041.746_none_74ae51a3408bfa5f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-unlock_31bf3856ad364e35_10.0.19041.746_none_428efbd28b482d1c\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-store-licensemanager_31bf3856ad364e35_10.0.19041.173_none_13e0ef71202154fd\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..e-syncres.resources_31bf3856ad364e35_10.0.19041.1_de-de_2d1d83b662d06ccc\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-webapi_31bf3856ad364e35_10.0.19041.264_none_eb0614689773a644\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.resources\v4.0_4.0.0.0_de_b77a5c561934e089\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-dot3ui.resources_31bf3856ad364e35_10.0.19041.1_en-us_1a37f22c089cea5d\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-tapi2xclient_31bf3856ad364e35_10.0.19041.423_none_b0d6f99ed2b9283d\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wlanradiomanager_31bf3856ad364e35_10.0.19041.746_none_65eb7e0b3fbd73a5\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..settingshandlers-nt_31bf3856ad364e35_10.0.19041.1_none_33d79b54f274ec07\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_3b7d0343b60cb46e\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-wmiprovidermof_31bf3856ad364e35_10.0.19041.1_none_fa1d96c2f58f4c30\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_a521e37e8ecb8aa3\f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.Rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-k..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a88419ec85306a77\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3055f51cf6f89217\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_da8246a692dc70d6\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l2na.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8b0c677534e50dc9\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..y-vault-rms-roaming_31bf3856ad364e35_10.0.19041.1_none_5d0c1787b92a3981\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1023_da-dk_81985656bd2d9e84\f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\d45411995fcf227e7ae64fc50d491d23\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Activities\v4.0_3.0.0.0__31bf3856ad364e35\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_wvpcivsp.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_e10368d4b51b5d41\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-l..ker-winrt.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e304fb8fce6427c1\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mfreadwrite_31bf3856ad364e35_10.0.19041.746_none_974f32d076d3b2e3\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-smbdirect.resources_31bf3856ad364e35_10.0.19041.1_en-us_7bdf089e5a865ac9\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_10.0.19041.1_none_cc6bf127c607199f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-devicemanagement-iri_31bf3856ad364e35_10.0.19041.546_none_be7a56c8204dda0e\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-directshow-devenum_31bf3856ad364e35_10.0.19041.746_none_418ba12ad31b7819\f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_92c85869af354084\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_39580c3d1f32c14d\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-sensors-universal_31bf3856ad364e35_10.0.19041.264_none_44b32b2c25ed092e\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_hyperv-integrationservicesext_31bf3856ad364e35_10.0.19041.928_none_6ee83b5c02b8bec4\f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-media-cap..ternal-broadcastdvr_31bf3856ad364e35_10.0.19041.1288_none_2c3ca3a0cb2dc18e\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..tiator_ui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6135559407242dc4\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_10.0.19041.1_en-us_bad9de852b9be8ea\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ent-platforminterop_31bf3856ad364e35_10.0.19041.746_none_fa9c05ef68273981\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mdm-wmiv2-dmwmibridge_31bf3856ad364e35_10.0.19041.1202_none_7f60e559b9e25c1f\f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ndis.resources_31bf3856ad364e35_10.0.19041.1_de-de_831acdb8a431107d\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..r-enduser.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_53637b1f6bf1d279\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_wordbreakerstemmer-neutral-legacy_31bf3856ad364e35_7.0.19041.1_none_d6d7fd3e89060ba5\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\x86_microsoft-windows-m..-components-jetcore_31bf3856ad364e35_10.0.19041.264_none_8651c0fa4e36e33a\f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_302ed39f71afea9f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..log.appxmain.deploy_31bf3856ad364e35_10.0.19041.1_none_de39af62649bd6d5\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-windowui_31bf3856ad364e35_10.0.19041.746_none_e54372724264e7c7\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-fde_31bf3856ad364e35_10.0.19041.746_none_9059f094eedb3899\r\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\Migration\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_c3423ff2a842a4c8\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6ec00aca1b2e6c05\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ingflyout.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_376e036ae45b55ed\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..tshow-kernelsupport_31bf3856ad364e35_10.0.19041.1_none_a84754326b0a8d07\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\assembly\GAC_64\System.EnterpriseServices\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..userdictds-binaries_31bf3856ad364e35_10.0.19041.746_none_d39247d6a6c7d30b\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..uphandler.resources_31bf3856ad364e35_10.0.19041.1_es-es_84c4ade0a7a36f8f\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-wof-tasks.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52372d8330d0d005\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\amd64_microsoft.security...cyengineapi.interop_31bf3856ad364e35_10.0.19041.1_none_dd8f3a4eb4c8efbd\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_11.0.19041.1_none_541dbcfa790e8aeb\cl9Ag_Entschluesselungs_Anleitung.html Bewerbung-Lena-Kretschmer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bewerbung-Lena-Kretschmer.exeBewerbung-Lena-Kretschmer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bewerbung-Lena-Kretschmer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bewerbung-Lena-Kretschmer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exemsedge.exemsedge.exeidentity_helper.exepid process 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 4888 Bewerbung-Lena-Kretschmer.exe 1932 msedge.exe 1932 msedge.exe 3764 msedge.exe 3764 msedge.exe 4328 identity_helper.exe 4328 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe 3764 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bewerbung-Lena-Kretschmer.exeBewerbung-Lena-Kretschmer.exemsedge.exedescription pid process target process PID 4540 wrote to memory of 4888 4540 Bewerbung-Lena-Kretschmer.exe Bewerbung-Lena-Kretschmer.exe PID 4540 wrote to memory of 4888 4540 Bewerbung-Lena-Kretschmer.exe Bewerbung-Lena-Kretschmer.exe PID 4540 wrote to memory of 4888 4540 Bewerbung-Lena-Kretschmer.exe Bewerbung-Lena-Kretschmer.exe PID 4540 wrote to memory of 4888 4540 Bewerbung-Lena-Kretschmer.exe Bewerbung-Lena-Kretschmer.exe PID 4888 wrote to memory of 3764 4888 Bewerbung-Lena-Kretschmer.exe msedge.exe PID 4888 wrote to memory of 3764 4888 Bewerbung-Lena-Kretschmer.exe msedge.exe PID 3764 wrote to memory of 3488 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3488 3764 msedge.exe msedge.exe PID 4888 wrote to memory of 2148 4888 Bewerbung-Lena-Kretschmer.exe cmd.exe PID 4888 wrote to memory of 2148 4888 Bewerbung-Lena-Kretschmer.exe cmd.exe PID 4888 wrote to memory of 2148 4888 Bewerbung-Lena-Kretschmer.exe cmd.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 4116 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 1932 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 1932 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe PID 3764 wrote to memory of 3052 3764 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exeC:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\cl9Ag_Entschluesselungs_Anleitung.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf8a46f8,0x7ffdcf8a4708,0x7ffdcf8a47184⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:24⤵PID:4116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:84⤵PID:3052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵PID:900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:14⤵PID:4304
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:84⤵PID:4752
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:14⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:14⤵PID:3680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵PID:1568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:14⤵PID:4772
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- System Location Discovery: System Language Discovery
PID:2148
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:2968
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:816
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5cabdb21aff5066a1353485844afba3d3
SHA1b4d5a5655681a4c50821b885c52a5f764ff3bcd6
SHA256608f02d7fbc2b972ae43ff98a6b304da07ee2730f7a35f762f4559ce2ed86eb8
SHA512e4619d1967a71d0d2b84ad4b4813c087c62e494b4115cb17be6d6311bfafdf6260332e77be3c78ca39fbbfee603650355aad86e0cbce93c1b281b156bfcd4e60
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
6KB
MD5ec87b8fa5834c98bcb81bee7aa24ac7a
SHA1da41092fbc173ed237a08fdcb14fc54228468868
SHA2569ba368270625b43d9b66d9ac394a32b8f94cf7b625274c4315a9586dfa5da8b3
SHA5126162de7abb1cea674633a32ba0785ec902b0e905a6ec3972249a94afe4352dea1b5b6dbd4ee63f0df4750d0950727c82c31ddabc7bc495d20ed071e7b3a31091
-
Filesize
6KB
MD55920a310f5b80a3ca08dca4f863bbf8f
SHA1b2acd0dc2cb23cf7761b30b3e65096c318754056
SHA256afb932fa09a63cec3772ef5a8ce8cacc7425967745b0fc7517518606219a1422
SHA512864682831bbe947c3784e6d6db1031c3582513dfcd36d6049e018e09317c28037a0f3f7cf1edf28909a5326acf2a9a3ca845a39d5e178ed75df4992806efddd4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54450a495cbee0dd47cf81b64588df070
SHA1f7df0309d932be6a75d91dc0f34f7389b0ea5223
SHA256b8dcb310a8553714f996e32a62e7203467fcc4480bcc48989c7143c2b6876975
SHA5128d73d327d46ff82d1e29d1902e58e8ffbfafc823062d5046b93f5d68f812108ac87d1e3f95507c5f990f85c9aad30624fbd0aad9038d83fbd84f7f61aabbdd88
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\cl9Ag_Entschluesselungs_Anleitung.html
Filesize18KB
MD5598910232bc10e019827051a2798ced9
SHA1da9a4658aa4b39b8ae091750bade1c9cbf6d887b
SHA2568fe144c2d0182de044f085612975b8e48f2a79e63de7b2d92105130cd3715fc1
SHA512c02136fc956bfa915642b0972f22dfad6e80e0e978d9bd5333a006e6c3bad46bad2608dc6fa9c9448bdb1a69411279fcbbc97b200eb2aef0177cb37fee933ef7
-
Filesize
18KB
MD5fb7b3608f910649629362cdc51784981
SHA118c80b9e43ebfd06c5958187b58cea4c4d9be713
SHA2560fa52f051d25d48b16074c78af04a706ca7859a0c488cd68d340afe22e6d9627
SHA51213ac9e497830344f35574ce862ee82251b584cb332943d8204e5365a9c584fac4b840c6291eed5e686060ac8ccf30ead2affcdbc1e20275409e99e71176e4b42
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e