Malware Analysis Report

2024-10-18 21:59

Sample ID 241012-24kfws1anq
Target 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c.zip
SHA256 c4a53b32522a07a31d23ee634fc468979901aff9089773dca021fc10c2443d17
Tags
ordinypt defense_evasion discovery execution impact ransomware spyware stealer trojan wiper
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a53b32522a07a31d23ee634fc468979901aff9089773dca021fc10c2443d17

Threat Level: Known bad

The file 41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c.zip was found to be: Known bad.

Malicious Activity Summary

ordinypt defense_evasion discovery execution impact ransomware spyware stealer trojan wiper

Ordinypt

Renames multiple (206) files with added filename extension

Deletes shadow copies

Renames multiple (149) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 23:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 23:08

Reported

2024-10-12 23:10

Platform

win7-20241010-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

Signatures

Ordinypt

wiper trojan ordinypt

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (206) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremium\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremium\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmbushid.inf_amd64_neutral_6708ad28050a6765\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterN\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\migration\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\Enterprise\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Recovery\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Enterprise\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0012\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmbusvideo.inf_amd64_neutral_8f9a8242d3699a44\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\manifeststore\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\migwiz\it-IT\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\sysprep\it-IT\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\imekr8\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0003\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NDIS\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\sv-SE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\catroot\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prncs302.inf_amd64_ja-jp_96eca15be06b1482\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\Professional\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0804\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr00a.inf_amd64_neutral_e7f3f91e6832ef5c\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0006\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Speech\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\sr-Latn-CS\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\wbem\AutoRecover\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\com\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Media Player\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Journal\Templates\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\System\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jre7\bin\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\System\en-US\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fur\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\3082\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\DVD Maker\de-DE\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cgg\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Games\More Games\fr-FR\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_prnlx00e.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bafd7c73980994bc\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_771a64735072457b\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..structure.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cda61b2255168f12\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..smenttool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f471431c94847a89\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..rgraphing.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_155cc3c1cbf93c62\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_02354b58460a7e0e\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-ics.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bd0edcbcba8e7b7c\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..sframework-inputdll_31bf3856ad364e35_6.1.7600.16385_none_b88be45adf067b29\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00020405_31bf3856ad364e35_6.1.7600.16385_none_958e650e9647ceba\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-bluetooth-mtpenum_31bf3856ad364e35_6.1.7600.16385_none_0257f0a5591b237c\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..ingconfig.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1f805b05866fc9c\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-pnputil.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_db256cd2c2cbd9c7\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-winver.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a5b512695f3a1cc5\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..on-wizard-framework_31bf3856ad364e35_6.1.7601.17514_none_b85a4f21afbb528a\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..atibility.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e6badd215da143d5\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_35d357a66c38ade4\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..on-common.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_42b5e45217c61c4e\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_623fd92274bff992\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.0.0_none_ee2620cf57bc84de\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\msil_wsatconfig.resources_b03f5f7f11d50a3a_6.1.7601.17514_it-it_0730093e89a28b79\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\inf\ASP.NET_4.0.30319\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_b21b41e894f6bda2\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_netfx-system.management_b03f5f7f11d50a3a_6.1.7601.17514_none_f6397b438cd5e46b\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33bb1a534004f6c6\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9f6efab05dc26e71\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_pg_persnlization_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_8cf9aaeb8a316114\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..-ehkorime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d2786df068703a68\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20001_31bf3856ad364e35_6.1.7600.16385_none_ad8dff130045ea0a\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3125fd6a3924d681\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6c850f9f4dfcf38d\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\msil_system.resources_b77a5c561934e089_6.1.7601.17514_de-de_3a7bde6078e3bca5\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-21866_31bf3856ad364e35_6.1.7600.16385_none_53e2c911465b0612\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a1b6f169bb98baa4\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0407\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_33110e0403e89cf9\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0dcaa2ad5c24a80\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_wdmaudio.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_89b3674078c70745\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\1033\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_11.2.9600.16428_none_6f8ba5f740934aae\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\inf\UGatherer\0410\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiume.resources_31bf3856ad364e35_6.1.7601.17514_en-us_6b1dc6ae4ec493c3\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-smbserver-netapi_31bf3856ad364e35_6.1.7601.17514_none_9ecc78ac672b15fc\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..ywmdmcesp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f51e69e47ef7fcdc\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_ph6xib64c1.inf_31bf3856ad364e35_6.1.7600.16385_none_9709ad05265f64c5\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_prnkm004.inf_31bf3856ad364e35_6.1.7600.16385_none_50ff82015b97b704\Amd64\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..-gameratingssystems_31bf3856ad364e35_6.1.7600.16385_none_902ec1113c6f875c\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e7c4581d14a175d5\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_ds-ui-ext_31bf3856ad364e35_6.1.7601.17514_none_ce73310d1634318a\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-cpxl-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3be757cf692e1ead\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..age-codec.resources_31bf3856ad364e35_7.1.7601.16492_nl-nl_b7ca4d8b5a0ff58b\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_wcf-m_svc_mod_op_perf_c_reg_31bf3856ad364e35_6.1.7600.16385_none_23b47b1a46320a55\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b8ee4729f5f06e11\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a57e5782f6542de7\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_009b5909ea47480e\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_wiacn001.inf_31bf3856ad364e35_6.1.7600.16385_none_95eb24d2d4a0a55b\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-mdac-oledb-stub-er_31bf3856ad364e35_6.1.7600.16385_none_f1c5d21ed15c2e4f\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_bthspp.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_80e08754bff7abee\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-peopcom.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efe5011c037ec344\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-photoviewer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4e05625854e407a8\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-c..ltdel-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca4960cdaccb2f52\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..oup-provsvc-license_31bf3856ad364e35_6.1.7600.16385_none_2d3176f8cdb5be29\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\RUpOV_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28565AE1-88EF-11EF-AA78-72B5DC1A84E6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2236 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2236 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2236 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2236 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 2876 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2876 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2876 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2876 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2876 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 796 wrote to memory of 928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 796 wrote to memory of 928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 796 wrote to memory of 928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 580 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 580 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 580 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 580 wrote to memory of 2848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RUpOV_Entschluesselungs_Anleitung.html

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:796 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 expandingdelegation.top udp

Files

memory/2236-0-0x0000000001CF0000-0x0000000001D23000-memory.dmp

memory/2236-1-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2236-2-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2236-3-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2236-4-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2236-5-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2236-6-0x0000000001CF0000-0x0000000001D23000-memory.dmp

memory/2236-7-0x0000000001D70000-0x0000000001D71000-memory.dmp

memory/2876-8-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2236-11-0x0000000001CF0000-0x0000000001D23000-memory.dmp

C:\$Recycle.Bin\RUpOV_Entschluesselungs_Anleitung.html

MD5 e460245660c1fe9bddd5b7a36587d22b
SHA1 88c04893a90048e398a654539521ca68339ed82a
SHA256 74677c7aa47090e2c511cf52f24942b52f7ac84aa16ccdd2ef4a43fae03550a7
SHA512 2ac4dd045fc20c0e94e262cad4a14a4c53cf2853ec1d89a491e3b713d8f3004486e23bb0d0c8a66da4b7f4a2c01ccb60c95f0cae1ad83fbc1388a2fd68b3bb22

memory/2876-1182-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2876-1181-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-2582-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-3837-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-5584-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-7076-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-7734-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-7735-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-7737-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2876-7738-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\Desktop\RUpOV_Entschluesselungs_Anleitung.html

MD5 63bf958cc80993435ab9d2fda0172f5a
SHA1 f53a79cf8f8fc9244d82666fb7e00eaf6ac8a571
SHA256 8cbc859f2849f8196a7d24d73e8f3cad805800df3c932182fce38c1c10da914e
SHA512 3f098808014d5d2b70a4eae3399f9f8ae99f7194683db476ba8936ac3bb68fbdae32d2700448c9c2cd9bae4b9d44694b5ef9efa58bb546d68023d865278116cd

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RUpOV_Entschluesselungs_Anleitung.html

MD5 edfc224acd4257b87d137c309e1dd1b0
SHA1 2fa8f14ad3f6ef2657d9237134fc908e7dfac029
SHA256 0975e705bf2cd448a83fd06dfe2e81bb0accc3f8a7a8888e78c0d8e7e64a4d26
SHA512 28da34bd6438673d74d983221256950b96d645139d0803edd437def0402f786cd42aec52a99182d1ff5602759a54f86a5d3f3daea6a631788963745e4d670001

C:\Users\Admin\AppData\Local\Temp\CabC2F2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2876-7781-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27da7fc00a08d1fdb89fae7fbfd9decf
SHA1 72bc44183d8815ef0a71656ce8a1663ac64c6ae7
SHA256 8c3f4a10a40f89ecba67807e3c5bbca8348d1ed42d3baf9d558054db5e3a069e
SHA512 119a958a3b840bea5677d61ffa73fa6b818d86e0933a5c9dc437c036428a808acf817c3d647e08cdee1a6703eaff645962e5fff808413bd93c33d6693a3f4754

C:\Users\Admin\AppData\Local\Temp\TarD9A1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfe272b325c3fe9eabb7e4fddfab2681
SHA1 7083163145b077fd3aa8d0d6d1dcc2af4f485401
SHA256 965b241694c1698b577ce696f35a2251e509daef0b5e388a56747767b5686b7b
SHA512 1254c22af0898c54dd0b7eaaef6c71c5da21895b3d4cb9e3bad34cbb44635a59d3f6ce96989340eb67c8dad3c30d32eaea65a49b5fe1d8dfb6b25db479192425

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46a28df7eaee2b1147afc04258724a8f
SHA1 743e85b48e6110d86f19a3c673917674ad23382f
SHA256 c050783095e6e41ea7d5036bb94b6debb886b784d2658b125212590982698347
SHA512 be1d5b9c350a6baa3e788345912a351490195f48d3b71bfe4a903178eb248f93274d97f4f6c1815ce0983303a3de11a582ad4d83dc6acd57976ef76cff6651c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 029a633416f882ccd9916d215e3c41c3
SHA1 b50b2d6774e12eb284230892e693dc3024e2fe14
SHA256 735b9fa0796aa664849c101d19886dc68076991dfa3142d314f91661354951c3
SHA512 0ebc7c4ae9236de0b4397e1730cbb828a5d8e16e56155d46f078d5e7637cce25e3674be4bf0aa53444da50082c85b9935e29e085eb64f54cf4c843530a61c878

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4da8d074acc2884451935577c01caba2
SHA1 ba0f4fcda03e9677fc55879d161500e972e69d6e
SHA256 57829d158a4ed8a4f0541750b1467af6d89c51cfe7d968a33317838e418fea32
SHA512 c175279be302e34237b8039c22bbbc836e89e7cc4226995ad6542d4635f5a1867f95d9ea020c7dc799957cc961780c3dc65e2a43932a520c74bd78680640117e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9203f4d82edd03bcf2d583697d763525
SHA1 4bcb2320ca54feb590de6147e6d972a4b3b4ee37
SHA256 2ab55ce0f00fd1d05c342c230d8a9f4e86a1bf69b2f15b7004ffe04db7235080
SHA512 33fffbd99f4d0e2670ba81f4de89c563f24aac84c4553ac2d8935a67b8318bee413e0779111bfa8fd055270a52e3d707afaf7882bf88b0f692aa0f6eb2f38f33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bac333955953b60173f8a4d15e125140
SHA1 b5f422a9e840466fb6f2d65f6c0cef097ae812a7
SHA256 377e1f2c0dce6955471d074c8ceddc579697777ff4970fcc1fc178f7be4e7d16
SHA512 18b984935af2b59c2e579559f0074a60c11e42abfa3d6ea15432c6d24d6f1a7e93859104741e136a98e93acc71e5142043cc3665f29ed51a7fdf698af7bebfd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd6f575f5f82a2326833662d9616ebe4
SHA1 942b8969ce8d265c9e5e9c449acfe0665650f5b1
SHA256 90642cabc117641497b81eab7a0d93e0c0f6484b87ad4487bf5b93a7dba02a80
SHA512 493bd815a6673ab916bedc9b523c0a199c4967ed90244b4c9d33cc5fa02c4e139d4b4025cb987861fea363d75ceaaa06489b759d27a4b97ecda1af6f92d54c71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2ade3a411d3e47150a54b55197395af
SHA1 3b0221bbb986a74f03ce1e493b37ac12d552ba28
SHA256 20b16dbbd7d84e8b9ceb23dee8a0b09a571061058f771653367a9918cff63e86
SHA512 4ee5b311b183901aea5e1aaa10763e3895c9d6b6db4b50a8811f8fc0fd5ddc75a333c4bbd6d554f496c170812d4c5d98eee44423610453eb6a56df352a762424

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 512c7331d26c902ffb6a77b4f6824a6c
SHA1 290bb7e17d599fad2e488e705bb4258b915f3a64
SHA256 8fcb1ab351f598c67fa18d67030df71c0cd087e0d2128f7b81fb763d68f149b8
SHA512 c947e6156e272e2e11b998080387a845bdd023636d78ea26586e973c60bd850a5921634466f5c4b17b2bfca9dc9de2740d5407a5edf9c3646d6c170d95fd129e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c04e290a5acfbfd850a61da124e87086
SHA1 e4226f022d910ef60a38bbfc69e8ec720e214a0f
SHA256 490d6ac347e9d25fb4c9d7115fa586d0b3b5c7ce462cdd1f303bf89ceaa1a164
SHA512 13c7b49784a41150f41c14ec7280cf8a124481abbe1c75e9d54c425d1e3513de2205f30e664f3f0adaaa2d3a1432e78febfc30249c85610b47258b6525b51d3c

memory/2876-8211-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 23:08

Reported

2024-10-12 23:10

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

Signatures

Ordinypt

wiper trojan ordinypt

Renames multiple (149) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\es-ES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\drivers\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\it-IT\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_e47e06e16f2aad12\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sensorsalsdriver.inf_amd64_a6da30fe583368a4\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_605a5cafbbd86f6a\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\LogFiles\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_37bf8591584019e1\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\tpmvsc.inf_amd64_9b03a5f041e8d2b2\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\en-GB\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\de\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\es-ES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Com\dmp\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_dot4print.inf_amd64_33c48c563d7541f7\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_2be0e52237040d42\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\OEM\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\qd3x64.inf_amd64_fd7b06296b7ac679\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\oobe\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\ja\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\es-ES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\es-ES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netelx.inf_amd64_7812e4e45c4a5eb1\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\networklist\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\de\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\tr-TR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PnpDevice\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0416\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\ja\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\it-IT\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\winrm\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtron.inf_amd64_0b075e1cb11005f4\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidspi_km.inf_amd64_7e53b3972dc4df20\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\GroupPolicy\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\0409\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cht4nulx64.inf_amd64_641bf08bee8ac46d\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\de-DE\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\en-US\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0009\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\fr\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Configuration\PartialConfigurations\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4540 set thread context of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Windows Multimedia Platform\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Common Files\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\{9733680C-0D1E-4BD2-A74F-0CCF42A8BF32}\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\System\ado\ja-JP\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-mspaint.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_14da90092648ac37\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfcmediaprovider_31bf3856ad364e35_10.0.19041.746_none_74ae51a3408bfa5f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-unlock_31bf3856ad364e35_10.0.19041.746_none_428efbd28b482d1c\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-store-licensemanager_31bf3856ad364e35_10.0.19041.173_none_13e0ef71202154fd\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..e-syncres.resources_31bf3856ad364e35_10.0.19041.1_de-de_2d1d83b662d06ccc\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-webapi_31bf3856ad364e35_10.0.19041.264_none_eb0614689773a644\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.resources\v4.0_4.0.0.0_de_b77a5c561934e089\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-dot3ui.resources_31bf3856ad364e35_10.0.19041.1_en-us_1a37f22c089cea5d\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tapi2xclient_31bf3856ad364e35_10.0.19041.423_none_b0d6f99ed2b9283d\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wlanradiomanager_31bf3856ad364e35_10.0.19041.746_none_65eb7e0b3fbd73a5\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.19041.546_none_9e094af3987dca57\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..settingshandlers-nt_31bf3856ad364e35_10.0.19041.1_none_33d79b54f274ec07\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..vider-dll.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_3b7d0343b60cb46e\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-wmiprovidermof_31bf3856ad364e35_10.0.19041.1_none_fa1d96c2f58f4c30\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_a521e37e8ecb8aa3\f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.Rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-k..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a88419ec85306a77\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3055f51cf6f89217\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_da8246a692dc70d6\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-l2na.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8b0c677534e50dc9\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..y-vault-rms-roaming_31bf3856ad364e35_10.0.19041.1_none_5d0c1787b92a3981\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_10.0.19041.1023_da-dk_81985656bd2d9e84\f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\d45411995fcf227e7ae64fc50d491d23\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Activities\v4.0_3.0.0.0__31bf3856ad364e35\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_wvpcivsp.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_e10368d4b51b5d41\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-l..ker-winrt.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e304fb8fce6427c1\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mfreadwrite_31bf3856ad364e35_10.0.19041.746_none_974f32d076d3b2e3\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-smbdirect.resources_31bf3856ad364e35_10.0.19041.1_en-us_7bdf089e5a865ac9\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-a..ence-mitigations-c5_31bf3856ad364e35_10.0.19041.1_none_cc6bf127c607199f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devicemanagement-iri_31bf3856ad364e35_10.0.19041.546_none_be7a56c8204dda0e\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-directshow-devenum_31bf3856ad364e35_10.0.19041.746_none_418ba12ad31b7819\f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_92c85869af354084\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ibinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_39580c3d1f32c14d\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sensors-universal_31bf3856ad364e35_10.0.19041.264_none_44b32b2c25ed092e\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-integrationservicesext_31bf3856ad364e35_10.0.19041.928_none_6ee83b5c02b8bec4\f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-media-cap..ternal-broadcastdvr_31bf3856ad364e35_10.0.19041.1288_none_2c3ca3a0cb2dc18e\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..tiator_ui.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6135559407242dc4\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_10.0.19041.1_en-us_bad9de852b9be8ea\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ent-platforminterop_31bf3856ad364e35_10.0.19041.746_none_fa9c05ef68273981\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mdm-wmiv2-dmwmibridge_31bf3856ad364e35_10.0.19041.1202_none_7f60e559b9e25c1f\f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ndis.resources_31bf3856ad364e35_10.0.19041.1_de-de_831acdb8a431107d\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..r-enduser.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_53637b1f6bf1d279\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_wordbreakerstemmer-neutral-legacy_31bf3856ad364e35_7.0.19041.1_none_d6d7fd3e89060ba5\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-m..-components-jetcore_31bf3856ad364e35_10.0.19041.264_none_8651c0fa4e36e33a\f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-vpci-rootporterr.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_302ed39f71afea9f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..log.appxmain.deploy_31bf3856ad364e35_10.0.19041.1_none_de39af62649bd6d5\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-windowui_31bf3856ad364e35_10.0.19041.746_none_e54372724264e7c7\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-fde_31bf3856ad364e35_10.0.19041.746_none_9059f094eedb3899\r\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\Migration\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_c3423ff2a842a4c8\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-themecpl.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6ec00aca1b2e6c05\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ingflyout.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_376e036ae45b55ed\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..tshow-kernelsupport_31bf3856ad364e35_10.0.19041.1_none_a84754326b0a8d07\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\assembly\GAC_64\System.EnterpriseServices\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..userdictds-binaries_31bf3856ad364e35_10.0.19041.746_none_d39247d6a6c7d30b\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..uphandler.resources_31bf3856ad364e35_10.0.19041.1_es-es_84c4ade0a7a36f8f\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wof-tasks.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_52372d8330d0d005\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.security...cyengineapi.interop_31bf3856ad364e35_10.0.19041.1_none_dd8f3a4eb4c8efbd\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_11.0.19041.1_none_541dbcfa790e8aeb\cl9Ag_Entschluesselungs_Anleitung.html C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4540 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 4540 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 4540 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 4540 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
PID 4888 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4888 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 1932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 1932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3764 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

"C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\cl9Ag_Entschluesselungs_Anleitung.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcf8a46f8,0x7ffdcf8a4708,0x7ffdcf8a4718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2642653641180154911,15230665546904685413,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 8.8.8.8:53 expandingdelegation.top udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4540-0-0x0000000002930000-0x0000000002963000-memory.dmp

memory/4540-1-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-2-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-3-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-4-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-5-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-6-0x0000000002930000-0x0000000002963000-memory.dmp

memory/4540-7-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-9-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-8-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-10-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-11-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-12-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-13-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-14-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-16-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4540-15-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4888-17-0x0000000002260000-0x0000000002261000-memory.dmp

C:\$Recycle.Bin\cl9Ag_Entschluesselungs_Anleitung.html

MD5 cabdb21aff5066a1353485844afba3d3
SHA1 b4d5a5655681a4c50821b885c52a5f764ff3bcd6
SHA256 608f02d7fbc2b972ae43ff98a6b304da07ee2730f7a35f762f4559ce2ed86eb8
SHA512 e4619d1967a71d0d2b84ad4b4813c087c62e494b4115cb17be6d6311bfafdf6260332e77be3c78ca39fbbfee603650355aad86e0cbce93c1b281b156bfcd4e60

memory/4540-24-0x0000000002930000-0x0000000002963000-memory.dmp

memory/4888-3375-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4888-3378-0x0000000002260000-0x0000000002261000-memory.dmp

memory/4888-8462-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4888-11472-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4888-11473-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\cl9Ag_Entschluesselungs_Anleitung.html

MD5 598910232bc10e019827051a2798ced9
SHA1 da9a4658aa4b39b8ae091750bade1c9cbf6d887b
SHA256 8fe144c2d0182de044f085612975b8e48f2a79e63de7b2d92105130cd3715fc1
SHA512 c02136fc956bfa915642b0972f22dfad6e80e0e978d9bd5333a006e6c3bad46bad2608dc6fa9c9448bdb1a69411279fcbbc97b200eb2aef0177cb37fee933ef7

\??\pipe\LOCAL\crashpad_3764_IWYDJBCWKEXMNSBW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec87b8fa5834c98bcb81bee7aa24ac7a
SHA1 da41092fbc173ed237a08fdcb14fc54228468868
SHA256 9ba368270625b43d9b66d9ac394a32b8f94cf7b625274c4315a9586dfa5da8b3
SHA512 6162de7abb1cea674633a32ba0785ec902b0e905a6ec3972249a94afe4352dea1b5b6dbd4ee63f0df4750d0950727c82c31ddabc7bc495d20ed071e7b3a31091

C:\Users\Admin\Desktop\cl9Ag_Entschluesselungs_Anleitung.html

MD5 fb7b3608f910649629362cdc51784981
SHA1 18c80b9e43ebfd06c5958187b58cea4c4d9be713
SHA256 0fa52f051d25d48b16074c78af04a706ca7859a0c488cd68d340afe22e6d9627
SHA512 13ac9e497830344f35574ce862ee82251b584cb332943d8204e5365a9c584fac4b840c6291eed5e686060ac8ccf30ead2affcdbc1e20275409e99e71176e4b42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4888-11523-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4450a495cbee0dd47cf81b64588df070
SHA1 f7df0309d932be6a75d91dc0f34f7389b0ea5223
SHA256 b8dcb310a8553714f996e32a62e7203467fcc4480bcc48989c7143c2b6876975
SHA512 8d73d327d46ff82d1e29d1902e58e8ffbfafc823062d5046b93f5d68f812108ac87d1e3f95507c5f990f85c9aad30624fbd0aad9038d83fbd84f7f61aabbdd88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5920a310f5b80a3ca08dca4f863bbf8f
SHA1 b2acd0dc2cb23cf7761b30b3e65096c318754056
SHA256 afb932fa09a63cec3772ef5a8ce8cacc7425967745b0fc7517518606219a1422
SHA512 864682831bbe947c3784e6d6db1031c3582513dfcd36d6049e018e09317c28037a0f3f7cf1edf28909a5326acf2a9a3ca845a39d5e178ed75df4992806efddd4