Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
01730499.exe

Overview

General Information

Sample Name:01730499.exe
Analysis ID:884706
MD5:c6a2fb56239614924e2ab3341b1fbba5
SHA1:bdd2ecf290406b8a09eb01016c7658a283c407c3
SHA256:92ad1b7965d65bfef751cf6e4e8ad4837699165626e25131409d4134f031a497
Infos:

Detection

Mimikatz, XdataCrypt
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected XdataCrypt Ransomware
Yara detected Mimikatz
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Writes to foreign memory regions
Contains functionality to dump credential hashes (LSA Dump)
Uses bcdedit to modify the Windows boot settings
Machine Learning detection for sample
Allocates memory in foreign processes
May encrypt documents and pictures (Ransomware)
Contains functionality to inject code into remote processes
Writes many files with high entropy
Deletes itself after installation
Machine Learning detection for dropped file
Creates a thread in another existing process (thread injection)
Contains functionality to inject threads in other processes
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Enables security privileges
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • 01730499.exe (PID: 6420 cmdline: C:\Users\user\Desktop\01730499.exe MD5: C6A2FB56239614924E2AB3341B1FBBA5)
    • mssecsvc.exe (PID: 6472 cmdline: C:\Users\user\AppData\Roaming\mssecsvc.exe MD5: A0A7022CAA8BD8761D6722FE3172C0AF)
      • cmd.exe (PID: 5536 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\72A3.tmp.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 6696 cmdline: timeout /T 10 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • cmd.exe (PID: 7088 cmdline: C:\Windows\system32\cmd.exe /c bcdedit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • cmd.exe (PID: 7068 cmdline: C:\Windows\system32\cmd.exe /c wevtutil.exe el MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • wevtutil.exe (PID: 6820 cmdline: wevtutil.exe el MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6816 cmdline: wevtutil.exe cl "AMSI/Operational" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 1640 cmdline: wevtutil.exe cl "AirSpaceChannel" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 7024 cmdline: wevtutil.exe cl "Analytic" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 7104 cmdline: wevtutil.exe cl "Application" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 7164 cmdline: wevtutil.exe cl "DebugChannel" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 5328 cmdline: wevtutil.exe cl "DirectShowFilterGraph" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6476 cmdline: wevtutil.exe cl "DirectShowPluginControl" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 920 cmdline: wevtutil.exe cl "Els_Hyphenation/Analytic" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 3772 cmdline: wevtutil.exe cl "EndpointMapper" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4140 cmdline: wevtutil.exe cl "FirstUXPerf-Analytic" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4664 cmdline: wevtutil.exe cl "ForwardedEvents" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4996 cmdline: wevtutil.exe cl "General Logging" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4684 cmdline: wevtutil.exe cl "HardwareEvents" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 5288 cmdline: wevtutil.exe cl "IHM_DebugChannel" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 5480 cmdline: wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 204 cmdline: wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 5624 cmdline: wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 5648 cmdline: wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 2772 cmdline: wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 272 cmdline: wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6752 cmdline: wevtutil.exe cl "Internet Explorer" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6904 cmdline: wevtutil.exe cl "Key Management Service" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6888 cmdline: wevtutil.exe cl "MF_MediaFoundationDeviceProxy" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6900 cmdline: wevtutil.exe cl "MedaFoundationVideoProc" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 6952 cmdline: wevtutil.exe cl "MedaFoundationVideoProcD3D" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4076 cmdline: wevtutil.exe cl "MediaFoundationAsyncWrapper" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4052 cmdline: wevtutil.exe cl "MediaFoundationContentProtection" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 2812 cmdline: wevtutil.exe cl "MediaFoundationDS" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 868 cmdline: wevtutil.exe cl "MediaFoundationDeviceProxy" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 4120 cmdline: wevtutil.exe cl "MediaFoundationMediaEngine" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
        • wevtutil.exe (PID: 2256 cmdline: wevtutil.exe cl "MediaFoundationPerformance" MD5: 27C3944EC1E3CAD62641ECBCEB107EE9)
    • 003cea9a.exe (PID: 5340 cmdline: C:\Users\user\AppData\Roaming\003cea9a.exe MD5: A49C9B9DA9D7F686AB7D8A696DDAE3F0)
    • notepad.exe (PID: 5684 cmdline: C:\Windows\system32\notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MimiKatzVaronis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.
  • APT32
  • Anunak
  • GALLIUM
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\003cea9a.exeLimaCharlieunknownNovetta Threat Research & Interdiction Group - trig@novetta.com
  • 0x126c:$x64: 48 8B 4B 70 48 89 8B 60 01 00 00 48 89 83 68 01 00 00 48 85 C0 75 35 F6 43 56 01 74

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.403408739.0000000180022000.00000004.00001000.00020000.00000000.sdmpmimikatzmimikatzBenjamin DELPY (gentilkiwi)
  • 0xab0:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74
  • 0xac0:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74
  • 0xa70:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000002.00000002.403478675.00000226A3A5E000.00000004.00000020.00020000.00000000.sdmpmimikatzmimikatzBenjamin DELPY (gentilkiwi)
  • 0x24f70:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74
  • 0x24f80:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74
  • 0x24f30:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
00000002.00000002.403478675.00000226A3A5E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Mimikatz_2Yara detected MimikatzJoe Security
    Process Memory Space: mssecsvc.exe PID: 6472JoeSecurity_XdataCryptYara detected XdataCrypt RansomwareJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.003cea9a.exe.226a3a614c0.1.unpackMimikatz_Gen_StringsDetects Mimikatz by using some special stringsFlorian Roth (Nextron Systems)
      • 0x15aa8:$s5: Ask debug privilege
      2.2.003cea9a.exe.226a3a614c0.1.unpackmimikatzmimikatzBenjamin DELPY (gentilkiwi)
      • 0x20cb0:$exe_x64_1: 33 FF 41 89 37 4C 8B F3 45 85 C0 74
      • 0x20cc0:$exe_x64_1: 33 FF 45 89 37 48 8B F3 45 85 C9 74
      • 0x20c70:$exe_x64_2: 4C 8B DF 49 C1 E3 04 48 8B CB 4C 03 D8
      2.2.003cea9a.exe.226a3a614c0.1.unpackJoeSecurity_Mimikatz_2Yara detected MimikatzJoe Security
        2.0.003cea9a.exe.7ff6214c0000.0.unpackLimaCharlieunknownNovetta Threat Research & Interdiction Group - trig@novetta.com
        • 0x126c:$x64: 48 8B 4B 70 48 89 8B 60 01 00 00 48 89 83 68 01 00 00 48 85 C0 75 35 F6 43 56 01 74
        2.2.003cea9a.exe.226a3a614c0.1.raw.unpackMimikatz_Gen_StringsDetects Mimikatz by using some special stringsFlorian Roth (Nextron Systems)
        • 0x166a8:$s5: Ask debug privilege
        Click to see the 8 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        • AV Detection
        • Compliance
        • Spreading
        • Software Vulnerabilities
        • Networking
        • Key, Mouse, Clipboard, Microphone and Screen Capturing
        • Spam, unwanted Advertisements and Ransom Demands
        • DDoS
        • System Summary
        • Data Obfuscation
        • Persistence and Installation Behavior
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion
        • Anti Debugging
        • HIPS / PFW / Operating System Protection Evasion
        • Language, Device and Operating System Detection
        • Stealing of Sensitive Information

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 01730499.exeReversingLabs: Detection: 91%
        Source: 01730499.exeVirustotal: Detection: 88%Perma Link
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeAvira: detection malicious, Label: HEUR/AGEN.1318781
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeReversingLabs: Detection: 75%
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeVirustotal: Detection: 77%Perma Link
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeReversingLabs: Detection: 94%
        Source: 01730499.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeUnpacked PE file: 2.2.003cea9a.exe.180000000.0.unpack
        Source: 01730499.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 40.126.32.69:443 -> 192.168.2.5:49695 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 2.20.178.115:443 -> 192.168.2.5:49699 version: TLS 1.2
        Source: 01730499.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0131EC0F FindFirstFileExW,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D78650 FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C8DFC FindFirstFileExW,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000ED00 FindFirstFileExA,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D79550 GetLogicalDriveStringsW,GetLogicalDriveStringsW,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Vault\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Word\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then mov eax, dword ptr [rsp+20h]
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then mov eax, dword ptr [rsp+20h]
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then mov eax, dword ptr [rsp+20h]
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then mov eax, dword ptr [rsp+20h]
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then mov eax, dword ptr [rsp+20h]
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then xor eax, eax
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 4x nop then mov eax, FFFFFFFEh
        Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
        Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4751Host: login.live.com
        Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4805Host: login.live.com
        Source: global trafficHTTP traffic detected: GET /AS/API/WindowsCortanaPane/V2/Init HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-PositionerType: DesktopX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061340710069592X-DeviceID: 0100748C0900F045X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 344x640X-Agent-DeviceId: 0100748C0900F045X-BM-DeviceDimensions: 344x640X-BM-CBT: 1686325889X-Device-isOptin: trueAccept-language: en-US, enX-Device-Touch: falseX-Device-ClientSession: A96DEC63A7804D869BF9489F27801AF0X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Upgrade-Insecure-Requests: 1Accept-Encoding: gzip, deflate, brHost: www.bing.comConnection: Keep-AliveCookie: MUID=0BA1234E3B2140EBA8746E9F98F8CAA3
        Source: global trafficHTTP traffic detected: GET /manifest/threshold.appcache HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitOrigin: https://www.bing.comAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comConnection: Keep-AliveCookie: MUID=0BA1234E3B2140EBA8746E9F98F8CAA3; SUID=M; _EDGE_S=SID=2ECDD983C1BA697E118ECAA8C0A468E7; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=E30A9DA0321F461E89EC92B73BD90599&dmnchg=1; SRCHUSR=DOB=20230609; SRCHHPGUSR=SRCHLANG=en; _SS=SID=2ECDD983C1BA697E118ECAA8C0A468E7&CPID=1686325893146&AC=1&CPH=4ef661f2; MUIDB=0BA1234E3B2140EBA8746E9F98F8CAA3
        Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
        Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 20Content-Type: text/html; charset=utf-8Cache-Control: privateX-EventID: 6482cbf4898f415dba3a5ffec3b1cee1UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0=X-XSS-Protection: 0P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"X-Error-Page: 404-customDate: Fri, 09 Jun 2023 06:51:32 GMTConnection: closeSet-Cookie: SUID=M; domain=.bing.com; expires=Fri, 09-Jun-2023 18:51:32 GMT; path=/; HttpOnlySet-Cookie: MUIDB=0BA1234E3B2140EBA8746E9F98F8CAA3; expires=Wed, 03-Jul-2024 06:51:32 GMT; path=/; HttpOnlySet-Cookie: _EDGE_S=SID=2ECDD983C1BA697E118ECAA8C0A468E7; domain=.bing.com; path=/; HttpOnlySet-Cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Wed, 03-Jul-2024 06:51:32 GMT; path=/Set-Cookie: SRCHUID=V=2&GUID=E30A9DA0321F461E89EC92B73BD90599&dmnchg=1; domain=.bing.com; expires=Wed, 03-Jul-2024 06:51:32 GMT; path=/Set-Cookie: SRCHUSR=DOB=20230609; domain=.bing.com; expires=Wed, 03-Jul-2024 06:51:32 GMT; path=/Set-Cookie: SRCHHPGUSR=SRCHLANG=en; domain=.bing.com; expires=Wed, 03-Jul-2024 06:51:32 GMT; path=/Set-Cookie: _SS=SID=2ECDD983C1BA697E118ECAA8C0A468E7; domain=.bing.com; path=/Alt-Svc: h3=":443"; ma=93600X-CDN-TraceID: 0.6fb21402.1686293491.20d38f9Server-Timing: ak_p; desc="1686293491011_34910831_34420985_26817_2871_199_402_-";dur=1
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.69
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.178.115
        Source: unknownHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 18.10.0.17134.0.0; IDCRL-cfg 16.000.29340.5; App svchost.exe, 10.0.17134.1, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
        Source: global trafficHTTP traffic detected: GET /AS/API/WindowsCortanaPane/V2/Init HTTP/1.1X-Search-CortanaAvailableCapabilities: CortanaExperience,SpeechLanguageX-Search-SafeSearch: ModerateX-PositionerType: DesktopX-Device-MachineId: {A2AB526A-D38D-4FC9-8BA0-E34B8D6354E8}X-UserAgeClass: UnknownX-BM-Market: USX-BM-DateFormat: M/d/yyyyX-CortanaAccessAboveLock: falseX-Device-OSSKU: 48X-BM-DTZ: -420X-BM-FirstEnabledTime: 132061340710069592X-DeviceID: 0100748C0900F045X-BM-DeviceScale: 100X-Search-TimeZone: Bias=480; DaylightBias=-60; TimeZoneKeyName=Pacific Standard TimeX-BM-Theme: 000000;0078d7X-BM-DeviceDimensionsLogical: 344x640X-Agent-DeviceId: 0100748C0900F045X-BM-DeviceDimensions: 344x640X-BM-CBT: 1686325889X-Device-isOptin: trueAccept-language: en-US, enX-Device-Touch: falseX-Device-ClientSession: A96DEC63A7804D869BF9489F27801AF0X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-BM-ClientFeatures: pbitcpdisabled,AmbientWidescreen,rs1musicprod,CortanaSPAXamlHeaderUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Upgrade-Insecure-Requests: 1Accept-Encoding: gzip, deflate, brHost: www.bing.comConnection: Keep-AliveCookie: MUID=0BA1234E3B2140EBA8746E9F98F8CAA3
        Source: global trafficHTTP traffic detected: GET /manifest/threshold.appcache HTTP/1.1Accept: */*Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitOrigin: https://www.bing.comAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.10.7.17134; 10.0.0.0.17134.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134Host: www.bing.comConnection: Keep-AliveCookie: MUID=0BA1234E3B2140EBA8746E9F98F8CAA3; SUID=M; _EDGE_S=SID=2ECDD983C1BA697E118ECAA8C0A468E7; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=E30A9DA0321F461E89EC92B73BD90599&dmnchg=1; SRCHUSR=DOB=20230609; SRCHHPGUSR=SRCHLANG=en; _SS=SID=2ECDD983C1BA697E118ECAA8C0A468E7&CPID=1686325893146&AC=1&CPH=4ef661f2; MUIDB=0BA1234E3B2140EBA8746E9F98F8CAA3
        Source: unknownHTTPS traffic detected: 40.126.32.69:443 -> 192.168.2.5:49695 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 2.20.178.115:443 -> 192.168.2.5:49699 version: TLS 1.2
        Source: 01730499.exe, 00000000.00000002.404826278.0000000000FBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6472, type: MEMORYSTR
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\videos\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\pictures\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\music\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\libraries\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\downloads\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\documents\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\desktop\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\public\accountpictures\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\videos\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\saved games\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\pictures\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\music\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\links\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\favorites\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\downloads\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\documents\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\desktop\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\roaming\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\roaming\microsoft\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\roaming\microsoft\internet explorer\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\local\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\local\microsoft\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\local\microsoft\windows sidebar\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\local\microsoft\windows sidebar\gadgets\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\local\microsoft\inputpersonalization\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\default\appdata\local\microsoft\inputpersonalization\traineddatastore\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\videos\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\searches\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\saved games\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\recent\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\pictures\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\pictures\camera roll\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\onedrive\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\music\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\links\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\favorites\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\favorites\links\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\downloads\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\wshejmdvqc\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\unkrlcvohv\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\snipgpprep\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\qcoiloqikc\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\outlook files\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\nymmpceima\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\nirmekamzh\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\jddhmpcduj\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\izmfbfkmeb\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\documents\gltydmdust\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\contacts\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\word\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\vault\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\word document building blocks\1033\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\word document bibliography styles\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\smartart graphics\1033\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\ctls\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\crls\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\certificates\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\spelling\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\spelling\en-us\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\speech\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\protect\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\protect\s-1-5-21-3853321935-2125563209-4053062332-1002\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\outlook\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\office\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\office\recent\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\network\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\network\connections\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\network\connections\pbk\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\low\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\excel\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\excel\xlstart\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\document building blocks\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\16\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\credentials\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\bibliography\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\bibliography\style\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\microsoft\addins\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\logtransport2\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\linguistics\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\headlights\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\flash player\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\flash player\nativecache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\security\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\security\crlcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\jscache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\forms\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\roaming\adobe\acrobat\dc\collab\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\services\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\emieuserlist\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\emiesitelist\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\domstore\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\domstore\zd1iy8m6\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\domstore\eu2ujfg0\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\domstore\4ddqnycn\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\internet explorer\domstore\2zcpp068\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\cryptneturlcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\linguistics\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrocef\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrocef\dc\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrocef\dc\acrobat\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrocef\dc\acrobat\cookie\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrobat\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrobat\dc\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrobat\dc\reader\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrobat\dc\reader\desktopnotification\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrobat\dc\reader\desktopnotification\notificationsdb\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\locallow\adobe\acrobat\dc\assets\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\virtualstore\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\publishers\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\publishers\8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\publishers\8wekyb3d8bbwe\settingscontainer\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\publishers\8wekyb3d8bbwe\microsoft.windowsalarms\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\publishers\8wekyb3d8bbwe\licenses\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\publishers\8wekyb3d8bbwe\fonts\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\peerdistrepub\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows_ie_ac_001\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows_ie_ac_001\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows_ie_ac_001\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows_ie_ac_001\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows_ie_ac_001\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.printdialog_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.immersivecontrolpanel_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\windows.cbspreview_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunevideo_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.zunemusic_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxspeechtotextoverlay_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxidentityprovider_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamingoverlay_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgameoverlay_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxgamecallableui_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xboxapp_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.xbox.tcui_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\ac\inetcookies\ese\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsstore_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowssoundrecorder_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsmaps_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsfeedbackhub_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\localfiles\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\localfiles\1230\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\files\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\files\s0\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\files\s0\2\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localstate\files\s0\1\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\inethistory\backgroundtransferapigroup\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\inethistory\backgroundtransferapi\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\inetcookies\ese\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\ac\backgroundtransferapi\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscamera_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowscalculator_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windowsalarms_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\ac\microsoft\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.shellexperiencehost_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.secureassessmentbrowser_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.sechealthui_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.pinningconfirmationdialog_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\tempstate\sharecache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.photos_8wekyb3d8bbwe\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.peopleexperiencehost_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\localstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\localcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\appdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\ac\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\ac\inethistory\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\ac\inetcookies\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.parentalcontrols_cw5n1h2txyewy\ac\inetcache\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\tempstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\systemappdata\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\settings\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: c:\users\user\appdata\local\packages\microsoft.windows.oobenetworkconnectionflow_cw5n1h2txyewy\roamingstate\how_can_i_decrypt_my_files.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png entropy: 7.99269643773
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png entropy: 7.99153214034
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1 entropy: 7.99450990842
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx entropy: 7.99993781786
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL entropy: 7.992931452
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL entropy: 7.99097117143
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL entropy: 7.99145138818
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl entropy: 7.99083552937
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl entropy: 7.99197838245
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL entropy: 7.99125786673
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL entropy: 7.99207808803
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl entropy: 7.9909758764
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL entropy: 7.99136665433
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL entropy: 7.99391207556
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99744177177
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-TW\OneDrive.adml entropy: 7.99395616845
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\OneDrive.adml entropy: 7.9943938536
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\tr\OneDrive.adml entropy: 7.99483535782
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\zh-CN\OneDrive.adml entropy: 7.9921405329
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-BR\OneDrive.adml entropy: 7.99487967679
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pt-PT\OneDrive.adml entropy: 7.99411764376
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ru\OneDrive.adml entropy: 7.99584760361
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\sv\OneDrive.adml entropy: 7.99395753346
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\nl\OneDrive.adml entropy: 7.99398415335
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\pl\OneDrive.adml entropy: 7.99426433513
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\fr\OneDrive.adml entropy: 7.99447055166
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\it\OneDrive.adml entropy: 7.99452248926
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ja\OneDrive.adml entropy: 7.99515530192
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\ko\OneDrive.adml entropy: 7.99362651041
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\hu\OneDrive.adml entropy: 7.99500989955
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\de\OneDrive.adml entropy: 7.9942475217
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Microsoft\OneDrive\19.086.0502.0006\adm\es\OneDrive.adml entropy: 7.99378751341
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\craw_background.js entropy: 7.9962424708
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\craw_window.js entropy: 7.99899308864
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx entropy: 7.99906272624Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx entropy: 7.99919210577Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx entropy: 7.99959750799Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\ContemporaryPhotoAlbum.potx entropy: 7.99958939639Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx entropy: 7.99979552636Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx entropy: 7.99556642537Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx entropy: 7.99842430383Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx entropy: 7.99979408804Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx entropy: 7.99934355575Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\TimelessReport.dotx entropy: 7.99783002227Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx entropy: 7.99807126316Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\StudentReport.dotx entropy: 7.99949817027Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx entropy: 7.99963441371Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt entropy: 7.99275925084Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt entropy: 7.99108949125Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Right.accdt entropy: 7.99174795146Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt entropy: 7.99155854963Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt entropy: 7.99888218905Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Notebook Templates\Notebook03.onepkg entropy: 7.99929652275Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Media.accdt entropy: 7.99013696846Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt entropy: 7.99044546576Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt entropy: 7.99119509347Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt entropy: 7.99486304732Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt entropy: 7.99300315926Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt entropy: 7.99142795523Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt entropy: 7.99062605101Jump to dropped file
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Issues.accdt entropy: 7.99540754756Jump to dropped file
        Source: wevtutil.exeProcess created: 83

        System Summary

        barindex
        Source: 2.2.003cea9a.exe.226a3a614c0.1.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz by using some special strings Author: Florian Roth (Nextron Systems)
        Source: 2.0.003cea9a.exe.7ff6214c0000.0.unpack, type: UNPACKEDPEMatched rule: LimaCharlie Author: Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 2.2.003cea9a.exe.226a3a614c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz by using some special strings Author: Florian Roth (Nextron Systems)
        Source: 0.2.01730499.exe.fe2dc8.0.unpack, type: UNPACKEDPEMatched rule: LimaCharlie Author: Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 0.2.01730499.exe.fe2dc8.0.raw.unpack, type: UNPACKEDPEMatched rule: LimaCharlie Author: Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 2.2.003cea9a.exe.7ff6214c0000.2.unpack, type: UNPACKEDPEMatched rule: LimaCharlie Author: Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 2.2.003cea9a.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Mimikatz by using some special strings Author: Florian Roth (Nextron Systems)
        Source: C:\Users\user\AppData\Roaming\003cea9a.exe, type: DROPPEDMatched rule: LimaCharlie Author: Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 01730499.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 2.2.003cea9a.exe.226a3a614c0.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth (Nextron Systems), description = Detects Mimikatz by using some special strings, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
        Source: 2.2.003cea9a.exe.226a3a614c0.1.unpack, type: UNPACKEDPEMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi), modified = 2022-11-16
        Source: 2.0.003cea9a.exe.7ff6214c0000.0.unpack, type: UNPACKEDPEMatched rule: LimaCharlie copyright = 2015 Novetta Solutions, Source_x64 = 90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8, Source_x86 = 6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7, author = Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 2.2.003cea9a.exe.226a3a614c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth (Nextron Systems), description = Detects Mimikatz by using some special strings, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
        Source: 2.2.003cea9a.exe.226a3a614c0.1.raw.unpack, type: UNPACKEDPEMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi), modified = 2022-11-16
        Source: 0.2.01730499.exe.fe2dc8.0.unpack, type: UNPACKEDPEMatched rule: LimaCharlie copyright = 2015 Novetta Solutions, Source_x64 = 90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8, Source_x86 = 6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7, author = Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 0.2.01730499.exe.fe2dc8.0.raw.unpack, type: UNPACKEDPEMatched rule: LimaCharlie copyright = 2015 Novetta Solutions, Source_x64 = 90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8, Source_x86 = 6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7, author = Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 2.2.003cea9a.exe.7ff6214c0000.2.unpack, type: UNPACKEDPEMatched rule: LimaCharlie copyright = 2015 Novetta Solutions, Source_x64 = 90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8, Source_x86 = 6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7, author = Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: 2.2.003cea9a.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz_Gen_Strings date = 2017-06-19, hash3 = f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159, hash2 = eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85, author = Florian Roth (Nextron Systems), description = Detects Mimikatz by using some special strings, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4
        Source: 2.2.003cea9a.exe.180000000.0.unpack, type: UNPACKEDPEMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi), modified = 2022-11-16
        Source: 00000002.00000002.403408739.0000000180022000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi), modified = 2022-11-16
        Source: 00000002.00000002.403478675.00000226A3A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: mimikatz author = Benjamin DELPY (gentilkiwi), description = mimikatz, tool_author = Benjamin DELPY (gentilkiwi), modified = 2022-11-16
        Source: C:\Users\user\AppData\Roaming\003cea9a.exe, type: DROPPEDMatched rule: LimaCharlie copyright = 2015 Novetta Solutions, Source_x64 = 90ace24eb132c776a6d5bb0451437db21e84601495a2165d75f520af637e71e8, Source_x86 = 6ee6ae79ee1502a11ece81e971a54f189a271be9ec700101a2bd7a21198b94c7, author = Novetta Threat Research & Interdiction Group - trig@novetta.com
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01317907
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0132506F
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01311050
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01311312
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0131821B
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01318A85
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013114F2
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01317E03
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01318650
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7C4F0
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D78650
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7C040
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7D640
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D74E30
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D753F0
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7D150
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7CD40
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7CB10
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7B720
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D734C6
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7C6E0
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D74450
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D77270
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7C270
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D78A30
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D72DE6
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D759B0
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D71160
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D73116
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D7B500
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D74730
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C1320
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C7D38
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C1570
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214CDF78
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C1030
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C8BCC
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180009FEC
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180007848
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180011CD8
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000757C
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180010A50
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180008EC0
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000EAF4
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180015F40
        Source: C:\Users\user\Desktop\01730499.exeCode function: String function: 01316980 appears 38 times
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000210C GetCurrentProcess,NtQueryInformationProcess,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000177C NtQuerySystemInformation,NtQuerySystemInformation,LocalFree,
        Source: C:\Users\user\Desktop\01730499.exeProcess token adjusted: Security
        Source: 01730499.exeReversingLabs: Detection: 91%
        Source: 01730499.exeVirustotal: Detection: 88%
        Source: C:\Users\user\Desktop\01730499.exeFile read: C:\Users\user\Desktop\01730499.exeJump to behavior
        Source: 01730499.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\01730499.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\01730499.exe C:\Users\user\Desktop\01730499.exe
        Source: C:\Users\user\Desktop\01730499.exeProcess created: C:\Users\user\AppData\Roaming\mssecsvc.exe C:\Users\user\AppData\Roaming\mssecsvc.exe
        Source: C:\Users\user\Desktop\01730499.exeProcess created: C:\Users\user\AppData\Roaming\003cea9a.exe C:\Users\user\AppData\Roaming\003cea9a.exe
        Source: C:\Users\user\Desktop\01730499.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\72A3.tmp.bat" "
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe el
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe el
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AMSI/Operational"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AirSpaceChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Application"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowFilterGraph"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowPluginControl"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Els_Hyphenation/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "EndpointMapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "General Logging"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "HardwareEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Internet Explorer"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Key Management Service"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProcD3D"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationAsyncWrapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationMediaEngine"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationPerformance"
        Source: C:\Users\user\Desktop\01730499.exeProcess created: C:\Users\user\AppData\Roaming\mssecsvc.exe C:\Users\user\AppData\Roaming\mssecsvc.exe
        Source: C:\Users\user\Desktop\01730499.exeProcess created: C:\Users\user\AppData\Roaming\003cea9a.exe C:\Users\user\AppData\Roaming\003cea9a.exe
        Source: C:\Users\user\Desktop\01730499.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\notepad.exe
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe el
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AMSI/Operational"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AirSpaceChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Application"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowFilterGraph"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowPluginControl"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Els_Hyphenation/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "EndpointMapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "General Logging"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "HardwareEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Internet Explorer"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Key Management Service"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProcD3D"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationAsyncWrapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationMediaEngine"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationPerformance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Key Management Service"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProcD3D"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationAsyncWrapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "EndpointMapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationMediaEngine"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AirSpaceChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Application"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowFilterGraph"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowPluginControl"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013139CE GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,LookupPrivilegeNameW,AdjustTokenPrivileges,FindCloseChangeNotification,
        Source: C:\Users\user\Desktop\01730499.exeFile created: C:\Users\user\AppData\Roaming\88e0ddf0-7b4d-40ef-b3a4-681a36f56107Jump to behavior
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile created: C:\Users\user\AppData\Local\Temp\72A3.tmpJump to behavior
        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@546/1027@0/100
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01312F12 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_01
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01312E63 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\72A3.tmp.bat" "
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: 01730499.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: 01730499.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 01730499.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: 01730499.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: 01730499.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: 01730499.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: 01730499.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeUnpacked PE file: 2.2.003cea9a.exe.180000000.0.unpack
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013169C6 push ecx; ret
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01325642 push ecx; ret
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013121B9 LoadLibraryA,GetProcAddress,

        Persistence and Installation Behavior

        barindex
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit
        Source: C:\Users\user\Desktop\01730499.exeFile created: C:\Users\user\AppData\Roaming\mssecsvc.exe
        Source: C:\Users\user\Desktop\01730499.exeFile created: C:\Users\user\AppData\Roaming\003cea9a.exe

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\notepad.exeFile deleted: c:\users\user\desktop\01730499.exeJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\timeout.exe TID: 6684Thread sleep count: 56 > 30
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 704
        Source: C:\Users\user\Desktop\01730499.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,htonl,EnterCriticalSection,LeaveCriticalSection,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetNativeSystemInfo,CreateThread,Sleep,
        Source: C:\Users\user\Desktop\01730499.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0131EC0F FindFirstFileExW,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D78650 FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C8DFC FindFirstFileExW,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000ED00 FindFirstFileExA,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D79550 GetLogicalDriveStringsW,GetLogicalDriveStringsW,
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Vault\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Word\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438246681.0000000000849000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437129560.0000000000827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analyticj
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DiagnoseLMEMhT
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438279625.0000000000845000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438366824.0000000000848000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437129560.0000000000827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticLMEMXh
        Source: wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debugow
        Source: wevtutil.exe, 0000000C.00000003.438391138.0000000000830000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437717042.0000000000830000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437875086.0000000000830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
        Source: wevtutil.exe, 0000000C.00000003.438279625.000000000084A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000833000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438326146.0000000000850000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438246681.0000000000849000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational
        Source: wevtutil.exe, 0000000C.00000003.437295870.0000000000825000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437193145.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM``
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMhX
        Source: wevtutil.exe, 0000000C.00000003.438090892.0000000000833000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437717042.0000000000830000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437875086.0000000000830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operationalter-
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438279625.0000000000845000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438366824.0000000000848000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admintem
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438279625.0000000000845000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438366824.0000000000848000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic
        Source: mssecsvc.exe, 00000001.00000002.658225477.000000000111A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: wevtutil.exe, 0000000C.00000003.438391138.0000000000830000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438279625.000000000084A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000002.439040571.000000000084A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438246681.0000000000849000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437129560.0000000000827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`H
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438279625.0000000000845000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438366824.0000000000848000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
        Source: wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdmineC
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437129560.0000000000827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminLMEMX\
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalLMEMhd
        Source: wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnosticerat
        Source: wevtutil.exe, 0000000C.00000003.438279625.000000000084A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438326146.0000000000850000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438246681.0000000000849000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Operationalh
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticLMEMhL
        Source: wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Adminindow
        Source: wevtutil.exe, 0000000C.00000003.437295870.0000000000825000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437193145.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM`P
        Source: wevtutil.exe, 0000000C.00000003.437032586.0000000000820000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437434095.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437661666.0000000000837000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438016788.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438090892.0000000000838000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438185841.0000000000844000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.436897140.000000000081B000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438279625.0000000000845000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.438366824.0000000000848000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437295870.000000000082A000.00000004.00000020.00020000.00000000.sdmp, wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
        Source: wevtutil.exe, 0000000C.00000003.437581519.000000000082C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytich
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0131B355 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013121B9 LoadLibraryA,GetProcAddress,
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01320CBC GetProcessHeap,
        Source: C:\Users\user\Desktop\01730499.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0131BFDE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01313254 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Roaming\mssecsvc.exeCode function: 1_2_00D78C30 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013168C6 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_0131B355 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01316258 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01316775 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C31C4 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C397C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C3394 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C3B54 SetUnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00007FF6214C6B60 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_00000001800164D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_000000018000AD28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180004BC4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Users\user\Desktop\01730499.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 830000
        Source: C:\Users\user\Desktop\01730499.exeMemory written: C:\Windows\SysWOW64\notepad.exe base: 840000
        Source: C:\Users\user\Desktop\01730499.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 830000 protect: page read and write
        Source: C:\Users\user\Desktop\01730499.exeMemory allocated: C:\Windows\SysWOW64\notepad.exe base: 840000 protect: page execute and read and write
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01314333 __EH_prolog3_GS,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,_wcslen,_wcslen,GetFileAttributesW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,
        Source: C:\Users\user\Desktop\01730499.exeThread created: C:\Windows\SysWOW64\notepad.exe EIP: 840000
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01314333 __EH_prolog3_GS,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,_wcslen,_wcslen,GetFileAttributesW,CreateProcessW,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c bcdedit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe el
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AMSI/Operational"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AirSpaceChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Application"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowFilterGraph"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowPluginControl"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Els_Hyphenation/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "EndpointMapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "General Logging"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "HardwareEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Internet Explorer"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Key Management Service"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProcD3D"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationAsyncWrapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationMediaEngine"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationPerformance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Key Management Service"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProcD3D"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationAsyncWrapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "EndpointMapper"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationMediaEngine"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "AirSpaceChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Application"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowFilterGraph"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "DirectShowPluginControl"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "ForwardedEvents"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "IHM_DebugChannel"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MedaFoundationVideoProc"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationContentProtection"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "MediaFoundationDS"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil.exe cl "FirstUXPerf-Analytic"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_013169DB cpuid
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01313D42 CreateNamedPipeW,CreateEventW,ConnectNamedPipe,GetLastError,CloseHandle,WaitForSingleObject,GetOverlappedResult,CancelIo,CloseHandle,ReadFile,CloseHandle,
        Source: C:\Users\user\Desktop\01730499.exeCode function: 0_2_01316661 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 2.2.003cea9a.exe.226a3a614c0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.003cea9a.exe.226a3a614c0.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.003cea9a.exe.180000000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000002.00000002.403478675.00000226A3A5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\AppData\Roaming\003cea9a.exeCode function: 2_2_0000000180002718 LoadLibraryW,GetProcAddress,GetProcAddress,

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Scripting        		Path Interception1
        Access Token Manipulation        		1
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		1
        System Time Discovery        		Remote Services11
        Archive Collected Data        		Exfiltration Over Other Network Medium3
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        Inhibit System Recovery
        Default Accounts1
        Native API        		Boot or Logon Initialization Scripts512
        Process Injection        		1
        Scripting        		1
        Input Capture        		3
        File and Directory Discovery        		Remote Desktop Protocol1
        Input Capture        		Exfiltration Over Bluetooth11
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
        Obfuscated Files or Information        		Security Account Manager12
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Software Packing        		NTDS121
        Security Software Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer14
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA Secrets1
        Virtualization/Sandbox Evasion        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading        		Cached Domain Credentials2
        Process Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
        Virtualization/Sandbox Evasion        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem1
        System Network Configuration Discovery        		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)512
        Process Injection        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 884706 Sample: 01730499.exe Startdate: 09/06/2023 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected XdataCrypt Ransomware 2->57 59 2 other signatures 2->59 9 01730499.exe 5 2->9         started        process3 file4 35 C:\Users\user\AppData\Roaming\mssecsvc.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Roaming\003cea9a.exe, PE32+ 9->37 dropped 63 Contains functionality to inject threads in other processes 9->63 65 Contains functionality to inject code into remote processes 9->65 67 Writes to foreign memory regions 9->67 69 2 other signatures 9->69 13 mssecsvc.exe 502 9->13         started        18 003cea9a.exe 9->18         started        20 notepad.exe 9->20         started        signatures5 process6 dnsIp7 47 192.168.2.100 unknown unknown 13->47 49 192.168.2.101 unknown unknown 13->49 51 98 other IPs or domains 13->51 39 DA3B6E45325D5FFF28...94A44B81D08964F8CFA, COM 13->39 dropped 41 703__Cellular_PerS...randingName.provxml, DOS 13->41 dropped 43 C:\ProgramData\...\601__Connections.provxml, COM 13->43 dropped 45 61 other malicious files 13->45 dropped 71 Multi AV Scanner detection for dropped file 13->71 73 May encrypt documents and pictures (Ransomware) 13->73 75 Writes many files with high entropy 13->75 22 cmd.exe 1 13->22         started        77 Antivirus detection for dropped file 18->77 79 Detected unpacking (creates a PE file in dynamic memory) 18->79 81 Contains functionality to dump credential hashes (LSA Dump) 18->81 83 Machine Learning detection for dropped file 18->83 85 Deletes itself after installation 20->85 file8 signatures9 process10 signatures11 61 Uses bcdedit to modify the Windows boot settings 22->61 25 cmd.exe 1 22->25         started        27 conhost.exe 22->27         started        29 cmd.exe 1 22->29         started        31 32 other processes 22->31 process12 process13 33 wevtutil.exe 1 25->33         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        01730499.exe92%ReversingLabsByteCode-MSIL.Ransomware.Cryptor
        01730499.exe89%VirustotalBrowse
        01730499.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\003cea9a.exe100%AviraHEUR/AGEN.1318781
        C:\Users\user\AppData\Roaming\003cea9a.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\003cea9a.exe75%ReversingLabsWin64.Hacktool.Mimikatz
        C:\Users\user\AppData\Roaming\003cea9a.exe78%VirustotalBrowse
        C:\Users\user\AppData\Roaming\mssecsvc.exe95%ReversingLabsWin32.Ransomware.FileCoder

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious

        Private

        IP
        192.168.2.148
        192.168.2.149
        192.168.2.146
        192.168.2.147
        192.168.2.140
        192.168.2.141
        192.168.2.144
        192.168.2.145
        192.168.2.142
        192.168.2.143
        192.168.2.159
        192.168.2.157
        192.168.2.158
        192.168.2.151
        192.168.2.152
        192.168.2.150
        192.168.2.155
        192.168.2.156
        192.168.2.153
        192.168.2.154
        192.168.2.247
        192.168.2.126
        192.168.2.248
        192.168.2.127
        192.168.2.245
        192.168.2.124
        192.168.2.246
        192.168.2.125
        192.168.2.249
        192.168.2.128
        192.168.2.129
        192.168.2.240
        192.168.2.243
        192.168.2.122
        192.168.2.244
        192.168.2.123
        192.168.2.241
        192.168.2.120
        192.168.2.242
        192.168.2.121
        192.168.2.137
        192.168.2.97
        192.168.2.138
        192.168.2.96
        192.168.2.135
        192.168.2.99
        192.168.2.136
        192.168.2.98
        192.168.2.139
        192.168.2.250
        192.168.2.130
        192.168.2.251
        192.168.2.91
        192.168.2.90
        192.168.2.133
        192.168.2.93
        192.168.2.254
        192.168.2.134
        192.168.2.92
        192.168.2.131
        192.168.2.95
        192.168.2.252
        192.168.2.132
        192.168.2.94
        192.168.2.253
        192.168.2.225
        192.168.2.104
        192.168.2.226
        192.168.2.105
        192.168.2.223
        192.168.2.102
        192.168.2.224
        192.168.2.103
        192.168.2.229
        192.168.2.108
        192.168.2.109
        192.168.2.227
        192.168.2.106
        192.168.2.228
        192.168.2.107
        192.168.2.221
        192.168.2.100
        192.168.2.222
        192.168.2.101
        192.168.2.220
        192.168.2.236
        192.168.2.115
        192.168.2.237
        192.168.2.116
        192.168.2.234
        192.168.2.113
        192.168.2.235
        192.168.2.114
        192.168.2.119
        192.168.2.238
        192.168.2.117
        192.168.2.239
        192.168.2.118
        192.168.2.232
        192.168.2.111

        General Information

        Joe Sandbox Version:37.1.0 Beryl
        Analysis ID:884706
        Start date and time:2023-06-09 08:50:10 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 13m 27s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:45
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:01730499.exe
        Detection:MAL
        Classification:mal100.rans.troj.spyw.evad.winEXE@546/1027@0/100
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 82.3% (good quality ratio 74.9%)
        • Quality average: 72%
        • Quality standard deviation: 31.7%
        HCA Information:
        • Successful, ratio: 97%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, conhost.exe, backgroundTaskHost.exe
        • TCP Packets have been reduced to 100
        • Created / dropped Files have been reduced to 100
        • Excluded IPs from analysis (whitelisted): 93.184.221.240
        • Excluded domains from analysis (whitelisted): www.bing.com, ctldl.windowsupdate.com
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtCreateUserProcess calls found.
        • Report size getting too big, too many NtOpenFile calls found.
        • Report size getting too big, too many NtQueryInformationProcess calls found.
        • Report size getting too big, too many NtRequestWaitReplyPort calls found.
        • Report size getting too big, too many NtResumeThread calls found.
        • Report size getting too big, too many NtWriteVirtualMemory calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        08:51:18API Interceptor1x Sleep call for process: mssecsvc.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\116938#E6D33838FD3B3884E7EB26AE0631910A-#-20236985118-626.key.~xdata~

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):1676
        Entropy (8bit):7.743661300569766
        Encrypted:false
        SSDEEP:48:siIvFGGGGGGGGGGGGGGuFC2ULvDqd0ngeJDR46qm6O0/0tPs6jQlqbxIs:s/vFGGGGGGGGGGGGGGug2UfpDa6N6O0c
        MD5:3A62EB6371FB6C2C5B38B1B593BE6F3D
        SHA1:BE83FFB6818D455D44415422B9A5281C563BE750
        SHA-256:DAB429823F11C801604204F40DAE16A9C3A506C63168946B4B77BC61F919D206
        SHA-512:CA44EA55A313F024C7F4FAC38CCE0839A683477069727874EF3E8EDB5588152ECE4C2125978B8291391EBF9D6F6D6039DAD97BAF36673B1BA45E03C25F40A9C2
        Malicious:false
        Reputation:unknown
        Preview:.......wj.b[.l[.u....H.6..{K...>2c...Wj....&f.7...Q.U.C.t.....#U....yf./Ei.....&..I.Vnp..........K...P=j...".B-........-.BB.^.b....iT9a../.........d.g..$.U..82....J..{.&x..\.P.C...4.......S....W..>5'...R....<#....6.=X..D5.....B\.6.....9"...h....]..}.......v.o.6.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..c.nA...n.t.../..cE.. .K79...........>..z.i.[.....Y.n3.....Z.0R)m.]]8...*..HakV.....}../...........).57.1.v^.a.#j-m2....1...wj....(fF..^......>E.%v@/...\)i.Rs.....U.#m......h...Lr..`...7.3.':.U.J.....<..S...lr.ZC..^*.o.).."....{.LD.~..I.y`./.=.2..9XC\.0" ....8 ...........K.X.s..t.....6...A.I.5d.A.Kh0..tO..5..v).4...z.......T..u.%N.....A..k.$^,..a-....~.I.:.[.g.H.6X..d%..........-]"....c.SH.3~2!.o.^i.......-...W.L......`.b]..1.G.G.ZN8.Q."... .fK..D.....Km...j..d...Xy.....R..y

        C:\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\MSBuild\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\MSBuild\Microsoft\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4990
        Entropy (8bit):7.958460432727225
        Encrypted:false
        SSDEEP:96:afXneyAd5ZPjY0aUEo+Bpdd8teMUuxnd8+lP9Ad8Lqo+scBe/CyV/BPvI96ceFKv:iXnCdPbY0aUr+BpdC3UuRC+FKCLqo+sm
        MD5:097C6E47BFCBA4994B653CD182BD3476
        SHA1:0BA0107D6323A07E76B337EB29B637150774CD74
        SHA-256:243FBC49DD8E5BD9873B47546D6778317600B63392D75E8AE688BA6389C03685
        SHA-512:3B04DE56ABB92FBA203285373F0688D2700D6514CB02952445FA5F9CCF32A4E82241F5A5BE8CAD12552E71C1F49EE00571C7D060A34D8C2CF1A8D06C43303F35
        Malicious:false
        Reputation:unknown
        Preview:S...9....2sQ..^..!z.*.P...Wn/.q.#.\O./.S.4'Sp.=..$.r>h..].K*5..p.......g....G<>..x=}......#...k....5.E.&5r.r..].7....r.. D;...h.......E.oNMi.M..E.P...\MX...o.x.....,......)...5..R.....f..K..?...\.G....N...8.~.J8.k.rA.....#..Yk...I~.BA.r9.+T.# ..9%............=j.d4......]..HdJ..R.$1....V.H...B~Z.L....R..4... ...X<../.X..S/.AhK*......8..2..si..|aaW.4.......:..rL...e..o.x.....,......)...5..R.....f..K..?...\.G....N...8.~.J8.k.rA.....#..Yk...I~.BA.r9.+T.# ..9%............=j.d4......]..HdJ..G...D.V..........[.W.q.....=...s..L.....\.....^^.]..Y..)..a.S..=v..O.pO..,^.z....oa.f...V..i'E.u..=!U.h.%#..&P.....0..w9D.Y..\..w.8.......,...N.W.bu...<.le.w.......`^o.L.G.Co.~^......x..I.:.....@..+.v .U...+.......m..<.h.].....U1g..M@lF.....!.q-..#J.gB..S..ek.......B3.YX......3>lc..\..%..#.."...n..V-.Y..fx\>s...x../wu..;..)..>2.c...mm7Rwy..x.Zt...w.... .D.....5..o...k...F.._..&..qlw._......=..h0...._..n.{ZD.........L.........f...%...j..../... ...{.n...

        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):5446
        Entropy (8bit):7.950658134961496
        Encrypted:false
        SSDEEP:96:vrqdy6O/pUAvwOKO0s/1H/6tSTGM0tiocaUOzgJbmzTsbi4OPl048wi:vON4UAlKO31f6t0GM0t4aiFmXsbiRu4k
        MD5:DFE5BCCEB8EC145FB54DDB5F1B2EE09E
        SHA1:4679066349ECA6FA189AE33A0B22A2B26BFC2B70
        SHA-256:D93FEC2878334393EA1CF56A7F1DE9BDF92BA468A4C91691EA9F61D08815DAD2
        SHA-512:28E050FCFA8F347025E80E83BACB3F4EC3ADAE65801DE31DD6C33ED8D85599854934AE57515901256FA837D7A14F053CB41563E4C67DECFC895A7626B72A129C
        Malicious:false
        Reputation:unknown
        Preview:..L...A.6.$SH.CQ5'.y....M.X...1.2D.....t..A...S..&..f.NM.T?Q_U..I...NB;.o.F.q......D.Q....D...,~s.$.....PE.=9..>.2.....B.a.V..).;.,Iz..g.I*.....q.._.q.5.{.C...]r.;.KO/.o.....AR..(...0=..*.=....#.W.(.g..wb...5...q.r.!.p.L..4G.?O..=.N..P...dXE&S.G..TC.T..!..X0A.*.....y...`N@......4..eIL7..........AR..(...0=...!.E....&....m...(fa%|.-....~dCh-.;..V......Jqt....ehz;J'.NP....1..[..p(..8?..j|..=.2u(....nI<.8..~.{+..>X..NZ.<3.|...s.%...g.0m.]=..#. ."+....}...n.u{S...N|..J..@.s........7.q.]A..*...Z.Ncz..I.K*..j|..=.2u(....nL....m..Lc~_.:.....)@....._V=!.....1..w~0.".X..S.2..IK.........Gk.80.......>...R..z.@.Zk.2D.!.g.+.}..2.s..~-$..M......Lh..O)..b....?...M.3.O]2..wK.L..~....1......O. Q.#.f..[..wO.W.Q...e%.75..v.3.._*......J.b........&...4N.}s.HY.+)z....v.eI..MH.d.fY.N..S...w....T..>.`.6...u..^.....v..C....\..OP..B|..X....i.....G..V.-.80...J.!.A...t..A..fB....q..-.n...~...~p..ZT.W....d..>..w.T...F7V ..I..M.U...m.f......S.....Q....7m).I.u;.a.#3...T

        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):6263
        Entropy (8bit):7.969439621162075
        Encrypted:false
        SSDEEP:96:D9s6y6yff6EzR0a7FIoP+hff34/uwjDMzvrQ4O8f9iRldYVnYIK0ZVMmRR/7:yj6yfiYRhRISKf6UrNf9Omt/7
        MD5:C5725794A9C958B0F792B5BF65231D61
        SHA1:6FDFA7A3FAC61100B70BCC9A86ECE332CC2459A4
        SHA-256:01CEA5D9DECF991E72BD81EF1BC94345A488CB020DF6E953F1B568BCD9B2B7AF
        SHA-512:30BC36EB40A4CD32299341CA4E95F2EBDAFE49A3CFEA1DE037D0F02FA582ADF3F59521E8C7BD7ED5794B87273260C49B09579F51BA38968E4E54367AB754AD8D
        Malicious:false
        Reputation:unknown
        Preview:4.Kv..G...<...../..H.......$j;w.mF.....E..X.E..7.\"+...c^]O..yrwP...{.wH...j{eE...l...t...].......X...3.P..D1...=...)..N....Z................1....N...f.k.n.q6G.....5..<Z..Y.]z+....z...y. ....T./.0_.o[Ue.........&+..ph...U...Cw}.W...J.Q/....=?oH......}.Ft.9I..T.o..l.hIQq.".OJ......Bv@L.h/../>...es-.)..sC[s...KdC.D...t. .K[..s...I...-.?L.5..f...0.(..))..'SH.n..Z v.H...a.O......#......`..v....H.j.,....U[...vx....I~.....M.]...H../k...#.7....HO..N'1.X%...i..?...AT."..|.[w...].. ...}..q...c..d..{..}..|....=...........Tb1.r,J..$.r....'~..p.y-bQWl..i..?..$..3G...W....v....8I..~9n.(.....W.V..Z..b.E{..h..=..`.H.Q..(...FBX#I..0.."V......f.AL.mGO'.~.:r.g+n..a..7#'.._.O.K.w.8;.....T4Wd...H..;...nh^y.6.yN..xt.,s3.#x...H...r..).#.S....k..L.....K(.;.<...}.;...p.......yA.y..q./h..^.i.......h....~$?..x.%G....5P.w...........t..M..v.W.tzRs;.c...9l7.J..Td.....p....`..=(W..S..P6.nb.).#.u>.3D.Q9..^|.~j.[.[b.q....>{.....Z*....qD......(d..Y]...x....7...H..G...

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):812
        Entropy (8bit):7.727832665373874
        Encrypted:false
        SSDEEP:12:ft5p+/9wl/LtreST8xA/d0Vcd6Bdcz1IA6osVKYLUYJHtb0jo+IU4K+yuxcmKZ+f:f/pA9wljb842+L6ou/t4mXxc9Z+Xh7P5
        MD5:961794EE5DAED70D39F8361F97C8259E
        SHA1:C1316ED7E4745FC67E7F23CA8F263989534F4147
        SHA-256:6C4B97946F663CA843D4683093740B73CAFD245544DDB92711F156DC4DC37CD0
        SHA-512:C27441EC9AA76D2E65B9079F0E6ECC6AFEAFC9BC1D924036245641DAA22E2A833AD36D2A8ECC409ABB5BB51430EEBF19ACCA19946F781E637EE58D74E87E3A8C
        Malicious:false
        Reputation:unknown
        Preview:.UB.EQ.0Z.7..$..]..-...Q..5rqQG....y...#.Vx...18...@.E....D.@d......h..o .g.z3..6.u..W@....~..w..Q....X....^4$...F.r.H...~..}...k.....g.?Eh....Y.i.4..."OX.$.<....F.m.R..&...R.....He..D.....cFP..d.}.Q~....1...o.Y...........4..L..8~Q[U)H...6..>C.I.>..`..4..uT.D..Z..Zi.]y.[.......T.'.?.p{R..0.m.W]...$'.$...L...7zM!..?I.Tu..... ....... uP..-..s.9.8..;....R.q..e....._..x..j........^o;..26 ^..+.x.....!9.#;./......zX..T..C.].......1...f...*.Z.g...G.C.U..d...7..<.........'.1C.B....O.F..=..>.....Ju..r2.>H.B>..V...#D....x..hLtl>...*.....@Ip...i..X.:..K...!.....4.iv.Eu..V...o..Y...]i....2..;N..8$....qk4.8P.iw.T.k.=.l..\.K...j....M4.....B..<.\.K.s.-..(51....Vd.F?<.y*R..8.. .B.1.[Sm...A5.).....q.g../#........2D..0-P~>%..K*.U.'....L.c.R.]../*.[c..S...z..KA)....."3...-..GZ4..8p...w

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.GIF

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:OpenPGP Secret Key
        Category:dropped
        Size (bytes):310
        Entropy (8bit):7.261209768246496
        Encrypted:false
        SSDEEP:6:93/bBji6ajjPxJgMfNqw5QhicaD+OzUnc5ihZYNmxE7b/9GJsg/2XpoE:5Be3jjP3gwQUldKO4nIAZgvb/YJiB
        MD5:5C3289AC0A277B050AD9ADFB1F06222A
        SHA1:5CA71B9EA41B9316A3C5D5BE2009643DA1C3F3F0
        SHA-256:4DFDE71F078B7FBA81D8D35748334DCC49AEEA9FD8062E6E0862BD57A19E03DE
        SHA-512:32D332A4AC6DBEEDF657CD16568F89CA8C3EAD6E92719B4E9413787D63C122986192DB15020376F38BD79DDA599415F442D5EE489994ACBB435BCD61955E676D
        Malicious:false
        Reputation:unknown
        Preview:....V..D...z....U..E7.....d........@.....yV.;.*........!b.aA?.1...T.Z.^.l.?..A..r.s........2..).E...K......&]c............!U.m.p.G.a...Y)....4.;...x...m...Zg....Q..v....A.JUkH.....Jk.BC......f......Zl..".o....5.4....C=(.#c...!....:..d...?..,..G1.9..>.f.gOu{Zh#aW..I.@.g......A.h.o.r.^4.U.Se{.8...

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):3646
        Entropy (8bit):7.9418251154247725
        Encrypted:false
        SSDEEP:96:OlN10f0P4yrWCe6NeEdPpqlbb3ntuBc9xTz7ubRY:yA0RRNeE9pqlt7/nu+
        MD5:E79590AEC0AFC7FA3D37BD5508954EFE
        SHA1:55C915480B03CE7B1B11E20C5DD5E0F319B205B1
        SHA-256:5E02D0527C742FDB096D8492EA20245DE461C27CB260F7CD6337FA7F3A3D8402
        SHA-512:6076EB4E463337BE17F2DF12067EBFED6F84FCB46A9999E8A25C9B34EF6F3AFFBC80A93E75958E331D7CA2F6CE7C54D21267978CED2CA4719B4A3A9FE0AC0912
        Malicious:false
        Reputation:unknown
        Preview:.O../i...T..]..q.a...?pi...e|.{.n(..*1....r...B..Ny..C.-..Vy..?..jFT..?D..hq.........Z3.W...j..zh2......x.^.B{...E?d.J..?I9_..m.&%..<p]..l.41...6.`.;..v.5(.wD8..R."....b...[K...4'm.s.i..*.1i...._....}.s.r...k.w...<.s.....!z...L.#...^6.o7a...g%N3........"+.w.Z..`...IR...<..,..i.f.M.X(G.4I.9....n.a._.T]R..4..@T..]...z...C.ZUl...:.......s.9y....TMR..e.....S..=..[!..9.W.N=....Hm.A@B.E...ju[.^K.R3.yF.R.$8....W.._..~....2$.j....TqM]..P.CD~Kp<..R......wR...?..!.~..s......m{.|q.Kt...LL.....%.<8....e..wn0..0.g.Wt..?G..G.$6jk......]._.ck).p..y2.c.'Y.s.8.jK......F..&.{.x! 0o.u.!s.4..~.......r...0...\..{].].....5.O...@...q..\kj.....5O*.1.~f..j....99..I....;...,,....Zh...02..z..9i...&..8h'.A..Z...|.c..K....m|......-.gl........M^5.......t...............a@.}kR..S.....O.XgZ.O...`W.......-./.@...X..,....&X......9.....{..._.....i...|..?..+.=q...|.z.....7x.'p...a3'...n...p.jB>.).|.$.~.8..|...9...........do.i>..w*.oh..I.Q....C&...-.6%...E.e...W*....u...~

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4303
        Entropy (8bit):7.959698541652449
        Encrypted:false
        SSDEEP:96:Sl4H9H/yJfuWLPIS/amy9u91Y3g7GzPXDdiUj1CUhB:SsKJNweamkuJgz1jEk
        MD5:6903F6096DAF34A0B63D416F37918B4B
        SHA1:47A58C50969E6714B114E908A54D0B93E373887F
        SHA-256:837C4896F72DA7C475AF887B5DF420B5BAE36A3DFE81447A404416A9F8F704FC
        SHA-512:C17A5532CCF013F25A4E8BCB123946B40697A4C03B1181222B55923523D9121A40E2C49790483F563CEEF8606E9726B01C6066D6B4FBE430BDB41879DA817442
        Malicious:false
        Reputation:unknown
        Preview:a..}N.;f. .4..l.q..2..t..HS]j.q..+.....^t.(..kl.p..p...bY......3}4.7d%`.6.......;.".n...b6.-k..F..C..jdL....B..Y.pJ...[.-...S..........~...0....!SdS.]....3..`3.L"W*)...K...4a.......y...L...4R.k........m...bh#Irr.DD....8#yK.5.|.9.Q.H.".q&...3C.2...6.X....0.{.m.._...rF.].<..W.`.#..M...G.b.....k..a...2......w.;._I@.lg../....!..m..we......3<u#.E...A.*.-2.pF..-.....N..W.[j..t*.0..NO@4^s.*:..?......z..p$....._.Uy..S.#...s^...u2.?...`..m.....[@Go......9e.`.....A..1uC.j.+.H.....q>:.S.....e.....*..A..C......%S..g........e&.Eu....c.....n*?.q...n......,.,...4~.....dh.q.A.4.R..~N......6[...>..}...].er.lj..6..eZ7.K....7........~........0...)Nc.XSa.WQ8..u...Yi..`...}...G...>._..q/i.{}j.B...V..T.Om....'. 1.bY.o v..h_T....l....."_.\.9.H....<..e.O.?C.Y.C.@..k)...).N...=......A....U7..P...-...=.y.j.=..S5..-.:..E..G.@./...P.. ........&.....T|..i. E.......E...D....>.0..S.h8:.....p.A=.x`d...P."...@......@k.5...........4i^..k[b..Q..A( H..b#3O...

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):777
        Entropy (8bit):7.704906760800748
        Encrypted:false
        SSDEEP:12:RNlQerrz+iojuJDQiGFjZdC9d/iGdn/fvyFJiyXRzFk6U4hViF5nslKI+ipzn:VFzVoKJMiG8co/mxFkhusEoip
        MD5:3DAC2C9105A0E140C1C97CDD4534DA02
        SHA1:D6C3F50EC613E687510E4BF3F89C27F05B62163D
        SHA-256:E29221BA548C45D6889A9B46750A0FEBA08B978805E4A79A7DBD41EE9B3D09E4
        SHA-512:8A63358ABC6D4FE53725085E41BFC330DE956E83FC3400B109303486CAD4CBA3A5B6D80A943435BBE929A022C6F37498EE17E8D14A077C0D05C5B3388C076995
        Malicious:false
        Reputation:unknown
        Preview:Tw...;...2...y.;.X;...S.Q.v..=%...*...h....m....h.T..a..b...z.......-.[F.k..J}C9......7.`.t...b........F.....k#w.M$[....~+....a.wDq.t*a.......Dzk.=..@..|vhJ9..~7..IQ....1..O.c.6jLl.RGf...csY..bK....B./...&...\.FQ..n.[i.,......^...D)R..........o>.^..2F.q.7>v.a..|...JO........I..UU.x.k.._........OG..[...z.(.M7n9.|2.%z`y..&....&j.e.c.%..G.......*.{...8]..id-x..G...?M.7,..,v...*.C...8\f.Q.7..4b\X........Z.LT.).w..P.X.y.J19......x(......&...=..GV.?......X.l.O].M..;.V...D...XN.....+A.>).Oc...6k.i..^y...*.....X.$..2.{`.O#G.;J..'.0/......r.......:X....`.......,y..M...&f.I.0......-0+..Q..k8h.y"..a.L....Gw..s3....#.gi..8.E...........*.?.^)..m.{..A_....qy..?......\....T.F.O.@7...p.BFW......c..J@5..+Twe..^\....h.s$....Z!..,..Z".rp.A.^..=c.`g(".=y>....

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):757
        Entropy (8bit):7.756541309629117
        Encrypted:false
        SSDEEP:12:i4k7vdu3KIB+BVsRbtlJUBqTbv2ri9/UqoU592VdGw8a8ANgASkU5h1MW+qV:kvfrBKRbtvU4vzZ2Vz82U5MWl
        MD5:FD6AB15BF377DB4B335C4E7E215D85AF
        SHA1:90BD2BD486718D886AF1FFDB66668F8C05489B48
        SHA-256:51A4747F7A0E8B890780BCE705D1C83E84A51167C08D107EEED6A2404C1D7EA9
        SHA-512:78E8FC288522936C15FD33F924DC43614817D8A9E4F0A7943EEC0B446B338D4C7620AF24E1EFDE43CEEB07E25DD4FB6F285A60829783D7FE81CE15F731A14D42
        Malicious:false
        Reputation:unknown
        Preview:...B......K.a.g ..U......O..J...x..\X.f..U..g..E..7..I.[.WL^.....N...n.../..xC%.wd.l..;[...2Rp5..-qQ.#..I{>.ei.C...f...;..............W..H..N!CYz...u7:.s....,....J.....p.7..=......s!jn.2..4Ja..R....0C.,...f..,o:....b8).].d..jk.3....$....C.....$.........M..7....$*.mF.eM..Q.n.I.H../..t.3.........L...10..[6...J..d{5..,.S..U....TW..N....o.....$_.}@....2,.....u.....6...*.S..{3...s.W..r.......T.e*g...-....\.F....k8h...U.....C.Bn...9..;...+...b%...0.ko..y>..</html>...*.........F.K5...L_X.E..\.m..V..4&..... ..`..N.5.u=.q.0...A..M1.G....=>-...{<X..A...R.UN|...V......%S&...)..G...2&.iLoA.F.........T.d..)k....I.$Lf.CU.5..w.....P}..3....uf...........+..4.....m6r...}..k;V.u.. 4>.WN...]A...7r...^."...VN...}..z#~.@

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):3214
        Entropy (8bit):7.896613505644035
        Encrypted:false
        SSDEEP:96:zrgVx/SmDG9+s+n4bRhVOjagHoALLLLLoF3b:zcVYmN74b5OJoRt
        MD5:0CFF6E8FA70E7EC298E9B03782D0E3EF
        SHA1:BCC1849537EE34920D1A48C8D350A7D405F06764
        SHA-256:14985723D010A4A46C4838A060F06C8CC5E90607EA8434C090F03B04655DDA08
        SHA-512:A6338BB5D0EC272022CDCAEB3E48130345B8342AB63809BF8678E33DA751D8A931A2F123ABB4098B20AADC28B2B1E3ED10CE44CF8AE200350AB161CC252ACD92
        Malicious:false
        Reputation:unknown
        Preview:.....g'i.....m........E.}.....M...q8..T.7t9o....2.h.!s.>.D.....x..U...u..xR......".d.......Jk.....W.R.......<.....J..".W.....]a......}..e...&..t....'.f0. .P....t.#...vX.|].s.(..co.\...=@...4u....5^..#.w.)...f.....O...p..db.S^..6_m..>}K..>.}...(J..'...4........:..('..^E.*......8.c.e.N...Y..x.wz3.d.9.....{i.O...IQ......:F.C...0..........2..fH.N.N..>,uc.'6[..........2..fH.N..pq..c......H..1. Y.n.:.4....Z..Q[...H............K.+.1..3..`....L...].d?...>.IQ.s.BLg</..R.S8.;.V.J..%fx.+...@. .fE..5*.......=...=#.*>X...D....|.1..r.R..."q.=..5.S-...^...&...Ic.r...F0].=.."k8c .4N....i..{w.|...x:.q..C.!/DB.qd...8.O.b ......9_.{7............=...*`Y^.+.E.DJ.:..B..'<.Q'.:.?......3q.q.I.W.Sc..CoM_.)M.zx=..W.6.... m.DJ.:..B..'<.Q'.:T..h.{.U...y8._...{.@1S.)!.K..\....Rly..y.(..pV....!Zy..M.....uHC....)a8..e.v..z.J...x+..."......9S<.:R..x..3.......X.`@..v......l/.(a.i>*........"..t.4.I...u..zq...49=...._..z.0.2*7 j.u..:1...5..HdI.=..w.;.FXE8..~%J9.

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:OpenPGP Secret Key
        Category:dropped
        Size (bytes):4874
        Entropy (8bit):7.962224178645269
        Encrypted:false
        SSDEEP:96:1fqY/CRvuFpx/kunITYkZBXjnn3XqB+ShdfSq7Dd+PRofAafY8aB8n22a:1fqY6Rvu5/3YB7nKB/aq7DYWfn082F
        MD5:3E492679BCE3DDB4155F46BAC864C2EF
        SHA1:10A115B40E44636A4BEE957638C5A5C9D8CC439A
        SHA-256:054D87E061237C85A7B29F2F6D5CBF39012A7EF5E2AF20D7B23A6B0EDE69C7EE
        SHA-512:3F4ACC67E67F8971A98C9AB8DF7BAE5D3A257940895595BD7C0EEFCCBB9F33B8FC6129854E006830672885263A314283CCA0D1E199EEAFBE3FE4ECEBFE29BB99
        Malicious:false
        Reputation:unknown
        Preview:.y.....M.....T.q.l ....1....d.....E...>.V....nS.Y..?.UoF3....,H..3..Ai.$..&VtZ!I.y....Q..'...4i...Fuj......L...B...XW.._..#..7.q.V.z/WG......><...t.q..:.Q.%.<...r{{zr..nV-..i.qc!J..a..>..iR..f.<<...M5b.....%.....Z...{.[.RM).!.1....P...{.J..D.n,K...j(........rS.....8'S|...c....Q!Ua.."..5.....;.'....@......4T..F...c..o....<..l.3...D\c(.G.......jp.j...e....p.......O.,.*.>.C$f_U...[.\.'_/.._[R.h..x...pN..k%YfX.i9...m..;z..O.{x.. Q..4.'..\V...m....l.V.W..v.....p..p...Hh.s....u.R...w.BoP.....r.i...v..|.$f.+...#.B......n.._K.....zfS...k.m....a.za. O>..J.6...}.x..x......cht...p=w..wWo...7.<. e.0....{jvO.1.H*....ygZO.....Q.cO..e.0.xI...oT..Z.e.7/P...s.NB..z..&...?.~.:.5q...<.a.V.pu...'w.b+..2..ZKtb...zZ...'..yM,.[$ie...M.<..3. .)F(\=A.8t>T'...R.".O^1..p.&/.Dt.!.|.....+.d..M*#V.E4.T,M/D:.....=.......eqU.s.$..vNGN&.....~...DB`...../f..OV.n.<.:.RZ.A.7.....6:M...9.m.}.K...${...K...g...v......V....>..&.....=...[.?..p.D)I..~qG.../..........P.+..\.i.dx...y.o.!

        C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):733
        Entropy (8bit):7.739340362978654
        Encrypted:false
        SSDEEP:12:vAl0tXjJESZ1320+ZVML9IzCDP3+kV8FJwXxzCC5X9NyuJ65NPfo3ih2IV6u:4WXj5x2uHr3S4zWGANnc46u
        MD5:932AE769747708EE161CC85D2DCA63AA
        SHA1:23785ADF1EAC2ECB4E9AD03ACCC8BF6BA038F2E4
        SHA-256:E24DB0C1001B88272E2E70BBED0B0D0FE0D697640867B792E4909E19D309F7FF
        SHA-512:A897F858F7200B39D1490D27BA88C5DE03F8FC85AA42860ADA70DE25AFCB7B900BF3553BAF987AC05A60CEFAB4F5F0E13397808D80A710E67DE02FED439332D3
        Malicious:false
        Reputation:unknown
        Preview:EM..B(..;./&|......I..hl.p.1.,7..]....tF..v...:...1....A.).}.....l=..Q6M.d...hH.k....r...8y...~.5.Q..3..rHT...,j)uU..)...Uu.W.<.03.H..DM.[h_.+.~.}{..x.%....;.........x....gh...K..*...u..wrc"." ]C.+..NZ.....ud.....P...i..0@M..x.V..L]IB..j...x...'.....j.'...8.b6.........|....W&.O...".\r....Z{...6h.:....... F$..mBm..rT.?.u...@=.o.E.4.^..<.$...;.....V..<J.b...W..wzL..y./W...+.5.VRr.[.W..5........9..R.gR..fy.......e?N...K[.'0..H....n......ml>...*.........t.@`.|.{....n..+.l...]yook...|.....{.Xe....r.g.?..bU.X...[jWX..{.....HW...bZLL3.z.>!.t.P......\D.k.v...U.%...Y..P%B..9..$...R..*.....C....<...zx-.......-..k....1......X5...|..I....D...Q.+t&.AiCM:}...'.!.:^...a...!.....u.vrb!VpQ..8...D...&{...}

        C:\Program Files (x86)\Microsoft Office\Stationery\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4133
        Entropy (8bit):7.954465063697776
        Encrypted:false
        SSDEEP:96:vwr6CDO5+gUS10Ec7ywPfYdh6qW+pbHOqo4Z4lYAai9VXX29:vwA5FIFywPfYdh6JtqoHDaizXX29
        MD5:707ACF7E40A527A173E0DE124EF5C9B0
        SHA1:30EDCECEB45FD88F583F56A2103B6DCB7BBD476D
        SHA-256:86F1DC0B0B927C2C365671E2C728AF7DE2DED242F96F160205124AE9E8DD6A7A
        SHA-512:655ABC82C2F81644BC18B8F26ABB13EEBA5BB79BFAA9833BC75AD39D20246F2E53E4F084F1C9A919CD7629C89E315666BA371536E715557D6ADD04EA58C1B0B3
        Malicious:false
        Reputation:unknown
        Preview:.... )X..f/.gS2.>._..._.`.>p....4?.r.=..V:.h.\$.3rIX1H..b..x..mY....Q..*z...p..5m._3...;!.@..?......62..a..\..B].g..........+.....Uh-?...v^.I=p.t.....q.7M..2VM}..9.D...x..<..Ocl......J...U..{.Q...zaz...*...2..b.........'.H`K3.....K...r......#.HT.....T.:.m..^...Y.X.o.............!.~..N.$....g.d.7..C......jUU.f...1.....N.T....&..=.j..bC......Dt....$c...."..C;..9/.YSD#...VJ,.&.v}D.1,4VN.......US..r).t.1.].[..*.........h...L...Q..}[....o.......LI..../.F..A..`.. ;m..k.5@F...d...4..g.+IIc........<.x,O.m..!./.Y...i......ri.{...=..v....r..RwQ.YaZ....C......{......a.U.f.Hm......)d...b...>.....a.J`..T.i1_......F....*".Z#t3..\.~d.:..p...h....L(..K...J...1Z........4ZS....V.;.C........iL7T..1m..I......Q.^.9%........O2 .H.c.....(....DM3|.a.....Z...4D..*....~..(.[...o#...x..R.8..o(...>v|..[..s|..aW.......X[X.@.......&l.3\.+.d..,.7R..@{.8..M..d..].....|..%.!S............1..b..f....OUQ.3,.0K..Mr2.....0...~...'.^...b.&..l%.}h..&0.+....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4102
        Entropy (8bit):7.9508263874901415
        Encrypted:false
        SSDEEP:96:QNOn4XIZLlFXUAbdXW3w/45VijhwK1oJJYF5LreDjClUAnOLPIn:drZLlKAbdPcMlwYoJOF5Lrp+E
        MD5:6B8D4690A4E433289278E31B65543045
        SHA1:8BEC04DEB539E8902DF8ECA424ED5B30F9E305BC
        SHA-256:781974A81F52864CC9C88E0EB9B9079FFEBD381719B8D2A562FED5E5E11EAB0E
        SHA-512:5FD481CA437BEACDC5D0D04C5F196F9541B6682A063AA9352F0316388053AC3B37694386C7C4498B03296116A672BBF013EEFBCFC22E92849EB229C1CB86BBFB
        Malicious:false
        Reputation:unknown
        Preview:Q.p.X..QKq.@w.M.~..0.Ja.r.....p...7}.b.gg\.5,.Ck..7.{.PB.+.{.s.....Ao....d5..>Y....v.[..u....v..V!...*v#.R...'mx.l.b..@.?....+......Sd....1..K+..@.D{..?..b.T...;.HkNcud..V.3.M.R.e.........z....}.e...2...ER..)r..`h.R7....^..`$&...m4.h.....,..s.....AB&.s8;..69..;.KN.E......q.Pr..5H....u.i.{#tr.[e.$....X..+P......K}.0...9.E..Xu`....8V.]..K.k..hJ..%.......3.Ht....u....,.../3.,.30...qp]...`^J.......ed.....gI'bc.NH.dD.[n.`[@E.f..+.X......5..]w.D%b<H..[.M.8.L".T.....Q....[T..._....B..u..sX.0N.#....TS..../*O....Z\...D.p....Zt..k.$..S.1k.<......3.6DI..I/..n.`.'Q..... ........#."7w.L'...o}k...B..(..Bg..`.d....l3.Z..%...]..o.[1)...[.!...+.D.u..m....b%WSNy..Jf...].....~.6......s&..U.E....m....e.9.2._2....#.I.j...J...]*}o..X....cD....i#.j..T..a......S....%J.Hg.p..Dk...k..1...N.I.....:./....%......Y..i..p..b'...96.2.!..=....y..R..i...z...b.K.`o.bV.U..f.)4....D.A..1].......rX,...............K..Hy.G...dG....v"..$.....f.Mq....w..f...J..em.s~K.[.......e...9

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Name.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4134
        Entropy (8bit):7.95234721633555
        Encrypted:false
        SSDEEP:96:W/j2zk3KjdBoPJ3+2gm0cJ/9sa77Xedd5xEarPW:W/jB33PB+2gm3J1savud/Saru
        MD5:249283FCFD1145DD4549E32D34203ADA
        SHA1:265D0B9CF1E867E470534298CB23FF64D52150C8
        SHA-256:C2E7FDEF35A1EC1C59F0FCC40CCEBE975B0D2763CB91C7D07A0EDFA0749A10DB
        SHA-512:534C9E7FED49944941D7E2BE47285D49D65543E33EC7D6B6C32391902447953F0C1FAC3C18AB648C3117789FE80797CBFF8FD55AD338E1D227AE7E056D4CA14C
        Malicious:false
        Reputation:unknown
        Preview:.........'..<n..%$>..9...C...&..2.9..........l...F.A....=9.t...Xt...d..{........|d..K....A.0...]w.iw.......$.7F.mD1Y..V....lv1...6+C(..Y....Q..T...D................../...".]~.Y...Hp.l.M.P.'.o.[.yW...Q%....=1.[..~.]...n..r.....e.4.j.Kf.jo=x/.;..d..7.!..P@.....R..O...S5Q...M..>..........YZ....b{....6lh...+iw.....h...`....._......D..N/l......j.-=.D....Y....Y....4....t......4...Zm...;.....'.O%1..B..|....q..Pp.!.=PSDA.Su..X.|.../.....N.%[8.4;.`)..{...lK.........._h4;..r.......3...`.JQ....B.NY......*....GY~K..Z...K.8....f....k._..w}...)....+...K`...c...6....pR........Z....V+...J'.#6.C*w..`+....K..?..[s.T]#......>.0....g...&.l...$........o/`.j...mH{V..m^>\..h.:..X..Zc.f.N.g..........^.O.e...+<.g..b.>.,.S..;.e.'...W.K..}...WTSn3....]3.oawwMlZ.%V..#.%....km.f.1sr.R./.x^..4~.SJ..s...B..].3.x.`..Jr.9... .<....~8.....O.X.........[....M....'7.. ...^."..}?....H...Y...."z..4..9h....:.....2.T..:.amr..jc.ql{.n.......m%.........x}Jg.]..i...Ak3).~z.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Payment Type.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4100
        Entropy (8bit):7.950013533749332
        Encrypted:false
        SSDEEP:96:GohQ94uj5zIAMYxUEsFCC1mDA0hDYKy+Ygt5:BQ94ud0AdUEsFCC2A0YC
        MD5:BF15A3635F0ED6A991EB999BAA466649
        SHA1:43B6287C59DC84AFD6937431B7E49FAFDEEE79AC
        SHA-256:E068D68D1E2B20A4795034880F1D75CB34EF53854B99AD79E6B7F3744A283088
        SHA-512:C89B1EC11C8B7049D3258846D77FEB62C597EBB20D6AAA193223FBC72244DED873DFAB877E22D72E431B326C742C70E8566C84700BCD5E44C825723D13D78E51
        Malicious:false
        Reputation:unknown
        Preview:v..)I*....[VF........eJ......n!K6x...2......V....ZK......F.....-1=0E..V...N.N2.!....@<y.....*...........s.E.1...F-.{..B......g...l.K...'...0[5iW..Ga.....Ki...y..=........e.L".;.p.t.......{/.t.^{... _..yc9...}.z .g$..X..;.......|..:2....g.5..J$..io...e.a3...d..9..D4...P.#J6$.~fG..i.....[.h..*..9.......Eb|...]T;g...M..v..=u......'....U..../1.......n..4....IO..'d.z.}......P.......bQ....t..r.....d7,...LD. .E..V.....&...L.]G.......1....C.~...>....../.`D2...O<c[...0.G.l.].j....`Zmt.u.[....Z..o...D.%..Y...i7p.~....xLXP(.[...Nh..J...#f...rz..2.;.....R]m..|L..Q....q'.kL.f.]........\?8.u.|.."y.q....)...N..'Kg.;..?....5.....w.....P.M?k.......f..,......ox..g.>...0...hP...V....EC./.|?I..EBc..!..U.....AM..$i...L....."..j^..2.s.....M].#.7..k........#vY....2.6.%..0.\...AQI...W..B.4.....6...@..b.@.Xq.I.+._.<y2....\gj..7.G..0..0T).2...54HdV.(.]x.?..........~.......0.%Q.6.p..wE..L..Y.... ....!...8.r..k..fx).I....F...A..1}..2..Z.e9....8:.v^A1.]I

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Phone.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4034
        Entropy (8bit):7.945560250035981
        Encrypted:false
        SSDEEP:96:BCr3Lr1tzhwjVY8c2M4PmcFifTwAIk0U7SPPxuXYU:Otzh72pFiEA10U1Xv
        MD5:AE5FD9A1BDDFDB20B0B77D2E67EBD3F9
        SHA1:0F25B82FF36DEB9DC7BAF0B3794D8450825DFEE4
        SHA-256:6090694C5D5129F4D2BBE00FEDCCBCD91F332DC1C6605C4B5553D178B1464216
        SHA-512:A5D2A8C4DAC9C54EEF7D4B35320A6543254F8F66DE2E1CA7C8711685A93DE23AA7DDA1858053D44414A3B640A9AB8A8C1875749367182A19CB855F6DD3ABA773
        Malicious:false
        Reputation:unknown
        Preview:..s.s"..0....j....>......T.....p..m.....E.kA.....z.6fZ...X(....l..z..HU .!.}.S.T9..-..]@....#.."x.%.'6.p.uJ."....O.E..._.%X.9.\o.~.........y....w...8.c.N......1}.^.C6.[...;,...{L8..&.O0......$.....K>....ZJ.'..1#&..^..Z ...O.N........X...4.WG&n..h!....-...2Qa0.3'1hb.r.(....u.).....}.}..a),...[.<.;4.r ......r..o.s.=.+.....w.f5"....8qTn._P.......^.....Z.L...l.T~C...j+...'...!..@../..K..=...".~...[."u.....OM.FH?.6..V....e?l..@$F.ym.W9.(...B.....q.U..w...%k1X.K..e..T.. .7.d3..2Y'.[ES'..%.........s...sw.........H...H.ap<..g..{..7.S..r..;..[...>1.G7...R....4.cg.aR..ZJj!#.....<...o.soY.d...s..Y*x..&<......R.LYx..^...H..q.!uD....x...G|...q0h6..$.m.!.....j....Do..1.3.#...s.....]....p.O.....`.emk.....n.....]e..6.w.',.-+........GTK..i.E&q"-3.r4:V ....pi...?.r..g}_"...vq(...B..+A.Z........}#8.7.b7(...).7`.....^Z.../..K~....xo.x.3...s..[fgq..Z.C..%.....-&."7n.P>.....;A...........v..5...R..X...tF..=#.t..3=...i5|x>^w3..r..)...lvx.....;..0....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Priority.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4132
        Entropy (8bit):7.953803271273256
        Encrypted:false
        SSDEEP:96:HmrEWKsft+kP05361NGfo44vSl/++6crrCSmFp8eqLC4cuxaMYqzW:HjYV+8gfo4uS5+TW3mD8FCwaMYB
        MD5:2A9A8D59B5FB753875184BF0B290F30F
        SHA1:9751AA4FB8DF699FEA11F108A7ABACBC82973B38
        SHA-256:E5427CDC3672F22A64F84BD7EB297C832E91477B48DF2866BBB1A73ADD29E119
        SHA-512:4AE15B9854CE71DC5A2BBF41B7077DA6D9B5FB459B0495A43F7DE7B370352F3842E3DCE7F02306CFB66E920E081AB879D9273CC72BA881ACC63C359CB09FA76F
        Malicious:false
        Reputation:unknown
        Preview:.'.|..p?R..bp*.. .E.~.D&.Q6...k.c..:C...b.=..p..nk........c)lB.c....n6.?.......`.`....."E...zV.. ....j..;..\d.O...V.9...H..]s..|E....7..}..T.^g^;.H..1...|.H...u.%P...M...Jn..?/A.&.....J...j.yL].....U.]{.w...B..&..1......x...t.N...Z........p.!../......0.$.?_..*,..[.>.-.{.d=N#.......I..i]5...yN..&e.?....h*Uz:S ...8o...9...Q>...'`.....+q.&.....k.C.#<...0p..y#..=....i#...%'.0.......U&.Yn.64...../.;...3c.8..c{l.X).]....;.n._..._.b_..v1=Wc.*&k....;F...I...'C/u.j.Y.a.....^..k2..T@1...D.c.pa.FhF...|Z....[.{.R.[@....../.QL.*5.V.....$h..e.L.-.Z..O..fA..x .-.....4CX....1E.<{.$.F.9f..1....7Z.b......w..o......5.3..A.......X.0..@Q....^.0.T...m".,.....s.txr..2..1l..v.D...g..;E..(&.\.......s.0I.\W...j...M...G.b".j.S.d^i.5.........(a.k....,.7.H*.K....M..Cn2P...>.0.4. ._....o.,.._.z..)..[C..F..TU=.7Y.v.O[..M.....N.)?n..b"?...a&..T.k...*z....L.<.g....."....O..3.V.).?.9....T....T..@........:U.......%..}..0....}...0-_...i. ...W.q....I _..?.k...~.....~.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):3950
        Entropy (8bit):7.955416628394308
        Encrypted:false
        SSDEEP:48:BWzNVudJ4G09Up1JlqjiQC6TMDDf5DrW6Nd5MDuwo1Q2pgOA0i0Z1ZbyHER+YMr:u/udKG3p1JlqjzyfpbX5MCNb7i0pX9Mr
        MD5:40E2B1589D1B0D0DD57C8354A1997C68
        SHA1:989B84A9C41EDD6E42DEEA58EDCDC4296692049F
        SHA-256:5852EF8AAB42622BA33A7E511DB62887D77D20925B9FC75F6F8231BB65C33A8E
        SHA-512:A421E4E6710C829BD95185211383D198D5DF11163779431134E8EC4E139447395378F91FAE3BDDE7E659886B3A277335AF7A58A85F45A6E7D5C19EC6BF77921A
        Malicious:false
        Reputation:unknown
        Preview:.e.[..../j."7...X.#,.........a2.ucp..#]..k..9..... .7.,..Ga.P..YHj.|.U.........~.....C..M).)x /..>.}.e.o...u.(ws:<.(.).9.....#.2.....N.7..~..$.4.=7...afi...x.-9..Nosgi...|./.^.<D.j>../{-+..r7[V.]....D('.u.K.-..o.Aj....y{.e...2.^OCp...Z.B..!e.R.p....>./.&:.t...uy{..."g\..oZ...1...f...G\.[.._...=U.y.c.l_.j&Nv...X.eH8..A..@..o...-x...C....?.....{+....1..%.u>@.I.s^...4l..:.....=.'.Bt..;...XU{...4Q.u)..2..L......R.%.Q....|...b.H..[?.)..N..H.....NQ5..L..K_.e....g.@S...R.$...2...r.t.....#-D.['^*......[...#..g.p.d,./Em.P)fD...../.1P|...&..*~Oe.2VV.bv.../&_.]..y...3[..[u:.9.-!....CC...eb..G...4V..E.+..{..+..N./2.......`.hS.[....C.-S`r......n....s.E...0,.(.s.+.=....0...XQ.7..y....4<.Gvk.....H..9e..J.|..8...k.X1><.9Z.Ez..w?....<.....].....F...|..^...T,.K.....M.....;0Z...+J1.....V ......ik.#&2.M.|..K%F".8.H.Z..*..|e~......2.i%.<?..........6..f..m"...#.?C.s..ZK&kt.p/7.....;KD{2......H..L.....!..M.{E.....%.a.S.'E[.r........z(....."...Op....T......5w`.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:OpenPGP Public Key
        Category:dropped
        Size (bytes):4139
        Entropy (8bit):7.957220797845083
        Encrypted:false
        SSDEEP:96:KQ9FJ5aHFNIiL0D574kmE0l9I/goUyQpC68uA0Dg6ut:KYFDIF184k10U/l3QpYh0s6ut
        MD5:603A7E4AB77FFC0FF85CFDCBED7419A5
        SHA1:A4C5B993FCEE4E9A2ADD20A6B20DE37BC1400B38
        SHA-256:0948235E6101E8E3C2F0027B4F49154884991FBEF79B0BC2924A914870F4C212
        SHA-512:1DB80C769FB2406E51F4BAD11CB29DEDB667ACF6BAAA2861B75AEACE813C36F48A81F81568241E9A7B3C76F2344443FD35A293693C1BF9A40789A7E0AFD05220
        Malicious:false
        Reputation:unknown
        Preview:......V......c.N....Z..dc..].Z...;.F{pR7n:C.!.I6......l.).~......5.r..... .."1g.. r...@m...1...2&..C./g"%=..l_...~C...v.).1R..eb.C]#..W...u.....9..M..U.....g..-...[....*y.....d.U.xo....v.....f...)+z..=n.p.-b4..".C....F|.".....8..JB....-.`o..h.....S...z/...#..\...Q[./.S..B....i...Hkq.......$.i...o%.%..\.:.T.`.....<.i....+j..y.B....st....wfe.,...n...?...M....P.....n.D.:..#E..w1P.C.ES..$...\.=,^.. @..../u.@....h:*..cR..Fu..<./...-..-b7.v.D....|K....*PN...'%]:.lW..FT6<|.5..".3..b0.^...@4..~+..-BaN'..~...C*9.V...`..o..y.. ..C.m\>e...2x.@`).9..............9..QFL.lO<...d...?...............&......J+..N&..v..X.q....X.........f=..H?n|.3.O....rI-&.. .T+.Xv.Y.qN..e..^o.eO.....j.t...$.....W......d...a.....0.(...p\+|....^..*M..7Ri.[.U......d....N...TE...2...|..R.|..#d.f..N.Aw.=..b.}.;.../|J}.m....".5........2..V.c`.....a.b}..>).....=..w...gU...,.X.'...I.{......r.b..........0.....;jn.V...Dv.FY..<.Z.....Hz.@+.`d.O..S..@(Q.X..;.m.:..L..m.,....S..L

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):4088
        Entropy (8bit):7.953336494989614
        Encrypted:false
        SSDEEP:96:7RyWcQeSHjG1OZmqsxta5zE6AGS8BWK5ini1gyLUp:YWcQe6fmqMtr6AaBB5iniKym
        MD5:7C9E008B91F15A51D86E47E9A4742629
        SHA1:B5AF090C31DB3E3E3613C382752AA244773EA487
        SHA-256:8FFC12BB050935D66C4D229B1C196AD4004F2ED356F6863A498B9D60AA024253
        SHA-512:58EB4E8DB95F166D726D9A6CF8A1DBF40B17C6FD2161EA70C6C4D3086849C80BB269129C3523AE7A9F7962C5019015C947DFA96DE7897E4D1E07B9D5C172BAEB
        Malicious:false
        Reputation:unknown
        Preview:Ux..d7.....I.,.....R....pz.>r....s.4&..........X3.FK...T.f.$Nl.I.U\&..w......U.E$...Q.p.R....x...!........l_....B..m...-........V@.W+A..n.]...Ttyd..It.|.q&.#..1.]K.u..3..m..............H.....e..h....F.n....".U ]"..X ...@0I/....0..h...k.4..&M........@....BtL"+Yl....H;.(...X+...I...]..s....j.......*fM...)..y..'G...I.....W.../o.,6...(....w.s^n...[....z)J.RU.6...8.Wq...R.....K.....z..=.....f.U.........]M.0w0...x.P.x.(...K%#....Ok.....q..y...g`.y.*...b.9...Y'.}-Z'.....]....y.....=..~...RXPb./....?.....ME+...;.!...|.*...q.VxL..\R....Zq..0'=.?(....E.ta.f.6nl...O.......9.o..",&..U....w4....y...6.....0..]}|.>j....F.....:..&!.a7...J....x.y....$.._&$......2.H...Z....tn.?..f.'.2.'u.t.....%.o#.,eM]J......-&x...c..........+... .t..T.."..1v...>O.6...t....`...Q....m...uGej..!..6Wo....z.uj...".qr...3$.K...v.).V..5.0J,*..?+%.}..y..;..G.SB..p..V.t..p.....OW....fU...9.....+.s.4..,.<9&1.t..p.......C..l.Fd.!hi.)..._....\.0.G...R..'K............;.<...l.Jn|.zB...08..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):22543
        Entropy (8bit):7.992759250841138
        Encrypted:true
        SSDEEP:384:7I+OxmAm3mSebfGPst0HIAQldYmshqS1c6CSluVMw+SYgeBpvTr/XCXEsmLn4I:MdxHSeDDL2fGSluVMwvYgwrKXHmLn4I
        MD5:7854E0A2CDD98FA0D8E8DC30AAEF70B8
        SHA1:3CC91400C15EFD5F1407D10FF9516D3CF7691285
        SHA-256:0066F894F67372220E3919144018952445B45BAA8C1703A23F01F29B1EDE76BD
        SHA-512:107B75596E6AA37FBF6196E08194EAEFC8E895C6D6538728D71FE149059B64775D7FEFD5CE5C0108498986911B9E98978F0CB717C4161D7D34AE25ED8EA66ED7
        Malicious:true
        Reputation:unknown
        Preview:.*b...6...W.....*ON...kK...Z..pdh.R....M...9....X..gh..&....*..._3.?..rm.H:....<.C.h.lH.^*...w00\f$H.SX`...Qd.|U../.X.....rx...`.o....y7....].......N.........Q.|.G...q..#Xj.$..c......R8K.....wQX,.I.>..3,..=.+.n..%b.H.>..g...Yo...(x.R,%X!..W.(.LN......C.m.(R.C.Q..cN.8....A'...9.=.N...F.!./.W.F......1...*.<.LK..y.<.m.R...#..UJ.P...%..j...._./."..~.<..kjzT"(.4.$F.x..t%Y...W.."...G/...xO.U%...T..te....n..=P.......b.e[.....7.B>&._y.W..QG.1.0JCR...w=...OMt....$..m..1..?....5.......~..+..p..........K.F].K..w>.!.Gy.rR.....m^d....y....<.D...x.;D..Cn..5p.\;... .Gi}/.....@(.,.......'.....{Co}.. .W....Ul(...lL...F..N<e.7...^....N..p.'9C..7..A.....V..N.s....X..3.".5:.......B.Z?V...E?N@4%..*...........=;>..4.+...!4!....}.i.(.?.'...8.,^kQ1T.........]..T.7.w`D.....mt&].NM.+...ZQ....>Za+..C..lC..g...AF..^.;.\.e..7X.!..j3....O.r..?T\b@.f.p.+Aj..Q|.......75.}.m.N...Qt.2HJ....NsK)]{.....,...@6....d...>....=l.<a?..Md.%$.d.u..WS.OYm......=$!._...T..( .

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):22348
        Entropy (8bit):7.991089491254186
        Encrypted:true
        SSDEEP:384:6WfgD1FongjIwbbnniZUQ290mtC9v3AX6SxeoIK/tuhGRus1LIaR70Dy:3fPgjIEbnPQVCCGpsoIK/JRuqI7O
        MD5:F77BDD7265C3882E10E77045E638026F
        SHA1:F3E654EA9A4E632E10D153E8CA8B016FAF0AC3AB
        SHA-256:673FEF4CC2FA5A3C603532E25B774F680F047867BEFD0619723B58858B2AE929
        SHA-512:CCDD8033653A3386B44C61FB2FB0B2F5B503DABE38BDD44A81E94FCEC1AA296A1DE903EAE70E263BF20F015A37CAFAC0B9B558C15443183F13CF873478600927
        Malicious:true
        Reputation:unknown
        Preview:..n..OT...\.-..J....v.v.@_.uIH:z..B.~...g...Mk.....=,-....a...E}...\.~m..h.K(..r.Vy......&,.>.sC..xi._.....B.....t....y.9.mM}.ri..@..s..<.e..x.\.J...N.UE..I.).+...s.N...T..j....g.@}!.?.#R.`(...l.{;..BG.T1.}...}.v.FJ+..W..~........Z.X..I..j..g)I.....\..-....C..t$.......L>..F0...Sn.i}...%.5.......[.DLvO.)yn.....Ya.C...EO.Gx.o...3....W&....dl...lt.7Za.....U(..~"..Q>d...Uu.........~ ....80{.R......6....<..}.?..t...N.......0..j.&...E{.|a.K.*1....p.#....H.i/)..%...s..B..:..(.x..k].:..S..)u..o)D....v.z..!!....%...u..(2..;...3F....cv.~W.I..o.......T+.....G.E..p{..[...p.%.(o....&-.k.H....5..._'.......Y..'....!{.Z>.q9a..mg....:.oY.rt~...&l.9.m.P6.p.`m<l8{.. +.....2..o..Q|F...t,.....D......ryB^.../.!2.y.f<.....2.W....}A...5?..)...o;l(......2..C.uJ....3\.77..........!..x.j.A..B|.g..R2.K.$......[.<....Yk..Q...a....A.S3.ze.c. ..x/jH+O...f7..Z..].#..f.x3..:....6!g2....:...S.N......@..A.....@;.......1O...M......c...........m..N.l.n..].w.....'.{:..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Right.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):23216
        Entropy (8bit):7.991747951464428
        Encrypted:true
        SSDEEP:384:jdwPDp/G3sZIR6Sr+vLKvms3rR59V4lLm/1Yso5rO1n9ukRbZXIrtZHqTaye+e:jdw43yc5ruLK+sFXSlGCsWrO1U0RcGTC
        MD5:A6CBC1B27B491D91E250A3780015C5BF
        SHA1:310A49EFB4DF88887B1EBF63021DD4DBEF5B77A2
        SHA-256:6B9111728469A1D3E5386946DB997285DE59979E82B13A681714076CEB2E9D72
        SHA-512:D3FFD565AF06A5D0C54E4A6EA55A14302E58C67092C3BC28A8076444DC2FC7B1921035B17E533246EEFCAD9A7EBB77F41F4F2724C5B386C03586054C11B88BE3
        Malicious:true
        Reputation:unknown
        Preview:^.E..!.5....a^.].G.j.OQS.=...g.wO...-...|#Xrg...q..ct...S.....M'.K...U5.RQ.....s..........l>......>.......).uGRg...r.D...r.,.e.Zd.....Kr.p.!.e8V..n..'B..r..g...Q.Mz..qa.;..:I.].d>.U ..!.~q....4.f......2_:|.wt.q(..%8.da....l..Mh.....R.m...M....e.....I.ae._.....qP...J&..<.=....>(L.d>..nC..G..g..$....x=H-.....h>&.*l...D8Rzev....zXIA.G.,p..ti.#_b.\T2..Sb.....6.O..I.f0.s.D:...V.E 78..@..--.j......?../..J........=..L..6.<}K.~.....%.N..{.x.1._..z=:;....3....H....H.<[.9...84VM.....Tpj...+..X.......>T.E}.+.oH.......A..t).....H.Fp~..H?F....mQb'k...`........e.[..a........w.P}..E...-.6.(6...6......a%z)........9I.FL..:.....3e.8.q.~V.4+~.*M..~.e....V^D..)Ma.-.y..I.?.|.b.p.#v8.6.n.UI.%.k.l^m.....j_-]..Cl../B..Z.KUy...,9.........-&.Tw.kpA..b..(^.>......W.5.A.......[.._.y..[.y|..^...k.>..0.J..'Y..\.i.8.Z.TF..vu.W....{.3.....Q..{.Cm.,..!.a.....%.Bh-.s...w...gs..N.\/.@../9.b.u.s......^>`..o.$Rc..!|..=h...Q...xXW..A.....YC.....y..RQ....".Z....vQ.....#..'

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):23268
        Entropy (8bit):7.9915585496341865
        Encrypted:true
        SSDEEP:384:iuIj5KUrU/gllDR7AHPjo3xmoRVM65TVBrvfOo4u2JFb4z9DarzHTomzr:iuIje/6R7AHro3xmE5THvfAuI14zgfHn
        MD5:3617FE14A747AFC33CADB38A334C59DB
        SHA1:8048E89CB177504BB69C57D43070A015C828E09E
        SHA-256:1BF741C5018E5B2E5D23A8F2371D502662E8009A92930CF0BA6942EEE3B930A6
        SHA-512:428CE6FAE08337C32AD5F6AEEB68DFB9CBB828CBF7315E1A55513C002F930B04C59B00D120E12713F948AB3B9B99BB8D8C4323F8345088926DD942C22D8F91D7
        Malicious:true
        Reputation:unknown
        Preview:H-p..O.I......q....P...........C.Nl...&WW.z.....k...X...p......m.."q......v..^..9..V.>.d...$.q.}..#.h.x..b..+-Q.Z..CQ..\..f.W...>..;...2.~...........Sa......*..m..8w~....R.u3...g....3..........x.gl.......$-..x...[e....T-..k..W......r....9....M9.B."..}.j6.`E.Q..K.....p....c...+..q.:.j..vMZ..a..i.....6m..H.v..m.!.....*%%.M.3.j.*...5O..h.o...J.Y ...w.l7...A+..4..N9.X$`.W......,I..])BF..f.bk.6%....Q.y`7..A..#...,`#'T.^4.7.[..-...........q.X !..:..o.>..k.n.......t>.4.jZR:.v..9...A..pa..#,*GH..$........Y0.F.U..I..%2.A.mfz5......3.C;.2.f.bw.[7gRA1..c.m..1.......e.F"..O......`.Ld~'._8...4....f.......i.L.....u..j...#.Su....;..2i.J.ID`'.^...M.9..0...D..I.M}........8u..o.4L.....C.........b...f(.c...UK......... .H.W.gX...L.ip...7.6x."..sq(dj....|.........\.;s.L.2/....U....d[p.1..53.-;.......n../w.aqr..I.....dj..w< %#..3Es=..p....t...i.d.\.7...\.W{.Rt......=|.....<s..$.. [@j]...^...t./;.'!<_....RQ...A?[....w...Xx...H..>w..2.gO....e.......U.C.^

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Comments.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):17888
        Entropy (8bit):7.988592656280634
        Encrypted:false
        SSDEEP:384:sOJKmQj5T7Bxbfrh8xcntgBhnoAlwaf9chcNVM8rkAy9vJUx8/Emq:3JKmQj5/LbtKZPieNiGk86Tq
        MD5:00D807823CEB05F9C5E1342E2E413F42
        SHA1:B28A441C3D6B19E3D382993BEA68B97896267C9F
        SHA-256:6068A34EF4A51C165C89E8FDFD88E20CEB5EADD4CBAE5819888DA8039F654D77
        SHA-512:30684EF568F1E67850F41639B7C876B0118E391BDA0B414C3685FB5EAD90A41D8AE057C7678D4898AFEE7D18058D804AE8A991A09FDF6777FF0C6523F41784B6
        Malicious:false
        Reputation:unknown
        Preview:...JP.9>..Y}2..f0b..@.E..[..u..~.=.a.(<m ..=...]Q....`..7CZ....V..|.aU.D.....d....U..#.>..,....%'..Z....D...00..r..T<.,.M.e.s..%...h...>.n....+.N.s..@OjX..M..,.)?.....3.......,.5h.~...E.xN..A7..u...Q...E..Yf.[\.......a\L1..1L.F.D/...y.../L...D.$.(...s.>.....5J=..k93i...8C....B.6...G#.u...=.{..3...b..K...V[7J.1Cg.y.zL..] ...s..Tr...G.H.:G.}......a..^^..h....Tc...X...R.&.)R.~.H.B.$J....T.....|..e.8..[_l.WX....8Q.v..5....C..m..Qo.....V..H.Ez...5...._t.R..6.7.l.].....I...:....W}2Zi.rO.^...=#.1x....|.Z.~.[....5...1..N..L..udy..j..'.R...D..T..#..?..{...,...>.u".#.[.\.T...{.......Gw.d...D..u.=*.95..+.Az@A..l.6...iJB.).dz@..!Aw....;6.eq..Q..#.w.=,k.....~.....Nov.p....B*f..,..H...oH.z.U.~.z...%....A..z.....D;TfH|<].....+.gj.;.IHn..=4:.......i..f.j_y...'.."\R..s..I..N.V..N..^$).v.....+q....|P...D..K..n.7".Ex........?..9(....Du.$>x3..L.f....+u..osja+i)t.$..N..'.[.Wy;.3..8`>....<[.4.T`..%..z....z..T8^..iD.hQ.@....(.....=Q.'Q.+.......*...,.O._v.*.f

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):231912
        Entropy (8bit):7.998882189054834
        Encrypted:true
        SSDEEP:6144:YA8cNZG7D/7mjO6as1J3Y4Mv8Iq/2/55pIV:99OX5s1RYJ0IqOk
        MD5:CBE8514F08A457FB501AB5C018A840BC
        SHA1:3A58F3853EE0E2BC07090818AFAC99C148BFC893
        SHA-256:96EC675C3D483CCA8C66638F76EC8C35B6AF8F9E6864E9D0B35B6A98DF25647F
        SHA-512:177FA452A4317910C605B7DCEBE55DEBE342515F56D8DEF0D9AE2E6A520A66092139D795881A78FCB678F44AAA2A37F8E5F618C3ED1A70D0B45817E155BD9D69
        Malicious:true
        Reputation:unknown
        Preview:.....4.+.C.#......6....y.Q...n....S..\.~Y.oF....|y..+....6.(.tG..IO.[u..1,X..2..1..J7z.....5^E=mO..c.....~.TU..Ne...'#.{.|A*..*.kf.\|.j.Q2^...5.<p.Z../.^s.E.".>M.I.]....d.4?.I.....>..&....W..r...0..h?............{.3f.............]..O.mW_H....e.^..mkX.O-......+..x.....k./qHI?'..~.RYcA.i..9. ].s........].M<..[Ui......o2....@..6.L.%K._Y....%E.8r................L..~x.....g-.'.h.{B.(...N*n.1.8.j'......M...).3.m..S.......vz..9.#n.b........v....Re.Q.?.2)+.?a...n..!1\k._"gT.9.:.U..c.]....w.7...........0.......q..Y..f.y.6gj%J;.(^.\.z.....P.....g....o......o...^D.M.....\...c.b.2i...*N6.V.>....L....N..i..)..rE.w.2w..G.....v..>>....|..Z.../..YDj.r...%....m.(f?.....=2.).FYg.....\...k:N...\44k...Yj.I&.UR..9..R...>.'...7.8~...........<....'.}Xi......FF.2@.........!.4....Y..*OF4...&E.x.S@..:.<%:].[$....A..H2......4..l..b..#. .-....Gs.......<..#W...C1........'..X..Tt...M ...._|no..........J)..%i...f....:0.......|.pL......z...(wB...W.....U.z..k..7.....O.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):19228
        Entropy (8bit):7.989021211575371
        Encrypted:false
        SSDEEP:384:siIdvflMpgWEaqkKxU//+ZR1cMlxZOMiDV7XXv1XLLehZOxEi:siIdfWEB2//+ZR1c8ZOVV7X/JLLehZOX
        MD5:0A99FEB02CED66BB08DA845299A53C20
        SHA1:7138323D5213B6B7AAB03CCD19719A055FCAFB44
        SHA-256:26338C4756A29F8BEEC421D6BD38EB11267B187F37EB15C0E69A83C8CA3E2DD4
        SHA-512:FF09DEAD994D76BF04217B53D90E25ABC7F3E8E452437790EDAF7DA565CA3DEBE438A44685F3D49D85694C861460C179743841F681FC9B193EF6B720943ECA0D
        Malicious:false
        Reputation:unknown
        Preview:.L..@...>....)*.(.U.C.s{....?...z.8...f.;.=.U'.T....>.E.-.N..g.h...v.`..dK.......Pdh.;..v."..bpq4.....j..O{ '..v.i..lUc.b....'.c....q.1...T...h..........d4.Q...0D...&......L-.....,..vl@SF,.p..&v|tOZ.2.~.T...W..c3{.p'.x..+..e.;.`.O...mC...Z.h.M...[.h..?.s... ..m.3.../y...m...2.J....hq.$...vK.+V,./.U.Da...@E.._xXq "1..@...:........a_........>.h3...~.ro....GtOD?.19_./.6 ....`..T...t.@Cm=.R.o?..{.?.296q.q..._.4..H...... ........X...nK.u...eO.L..vg..A.l.....6*.N.0/..N.6.G..D..&.JT.x..8pa.j...].....8..dX..._......%.....z..|.k..w..d.j......K......./..8.i~.I(...0.W...o_.B...9...}l.7.q}u....|""]X..|...K...|........^.5)S.y.....#.y..s...[I..M.-p.I.YL.o...x...._.c.e...C|.f...\...W.W4.........< ..G.P.2%/..P+.._.Yy|.e.tV.&"*c.Iz.Y....goH.uTj.~..m...T.t.F.6*...=..>8......S0......8.....r.'.]a.xN.>..:q^..#M.,.*..Y..u.....=/...Or..C.".R.Bkw...kA.C.B.X..4..<MayV.OU.5.Vdpx..I<W.T. ...,...9.S.c&l.\.).DNAF#...2g...D.B..\.......7..i...........)cN...<a=:.j.W

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):19829
        Entropy (8bit):7.990626051009907
        Encrypted:true
        SSDEEP:384:XqU2ZlTMrsyJ0oWl4S+6+UcVlc8qtNp+/2gV812cuGwSGeDTsn:lalbyrCGUcVS8iNY/fV8QcFwEnsn
        MD5:25D67F47BABB0496BBE3486848459139
        SHA1:77A91FA667572A063CC29FBA422B2947FBD69AC1
        SHA-256:82E9CF11B873BC8CE6D2FD8628AAFE0BB64F27EE7EAA4702801045D6DB2AC74A
        SHA-512:AC2D05334084CB0B382208EAE7C2FF20ECAEF191F6553D83A442DE9CF15E370CD1F8E0B93CBB70E80E544165B472205A219099EAF8C243F311CADA1F4B288524
        Malicious:true
        Reputation:unknown
        Preview:.6..g.).c.g..J6..z......b.uj....}F.A.fP.1*.......tS.8.....HKo`.a..\7.f....dD&....Q..L`d:Wd.....B...<xTWn\,!q..,z.37|...9..4!.`D...l..$..S...b.S....V...!....8....1...f...,...,c.FP.w.?.......N.........g.......sM....`C..B.o2.g.J.Zi.R....L.?..~I..p.L..>.v{.`s)...,...Z.cb?..b:.B-{/.,...G;*%T<..Xl....h..a7.Dk.M.qC.'..6.......D..;..f..j^.s...i.qu.FHm\..U..x./......xM..R..S.y ..8..<..3...[...3.,R.L~../.h.{....@.lf~.\x]...kw.f.a..-.7..;I.B_..d.....e>.D.w2g..S~.H....9......:}W ..q..}%r.VD.v...'R...4...*3...U.%...C..s......j................^.O..&..e}......].F.B8.N......6....NE.QP.`n.[z}.D.......4..[....*[.3>.Do...e.t...`.M......\."...m..z.E%.....!.J..+u.#.t.y:J.3.._..........m..vE.)..:..L.>......`....i...=.9.vE......I...X.>..;.\.`......]..0|,>r...qW..%......tK..5.+...........$.o.G......]...H...[Z: ...u.....T ...w.(N...'J)..2{.y|..N...~.......X...R.6U3.;......b.>E.%.T.X;...u..ZG..=f.3@....&..q.=..e....AKX....Ku....>(.~.....m.B..a..+..[Df.b&.n

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Issues.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):44817
        Entropy (8bit):7.99540754755887
        Encrypted:true
        SSDEEP:768:eWPcQqCWfmSI8mMy3Rcqq8l1varrCJoBnmX3/CNckQRgn+Enw2a/QeiFRwSkz9wn:eDQwf5I8mLB3Y0fxRR8S/iD8zOTmG
        MD5:093D144FF4F62EBBE7679D3A33969A37
        SHA1:359552B1CA07878B188E9ECF6B61398EAB3D58B2
        SHA-256:4CDB4C4B2E6B7D7126195AC5E89071051110B9E3DD0BBE43C6B511D0103164FA
        SHA-512:AD266851EF84E853D433F428711E4288C384F5F947FA9AB7D1F0413FA78A8BF5297102BCC0314C7E7CA99B46B5D4BB17EBC203D918AE41842F77B1F2BAD62FBF
        Malicious:true
        Reputation:unknown
        Preview:.........y0|..`..b.u.._..W.H.az>.6|..7v...E..}......m#.u.p....;..5..Z0.s...a.....................N.}...Q..P..y.L...-..W.oq'Ut......2L$0.s..P..."v!c.._.....;f`oW4G...q#....(T...?k.8.......>....o.l.....0......q.{y9...~w.\J._. ....`\x....d.h.lu....,...1.b]...,.$^I.....f..(6.'.xD&.:T0...pt...k...*.!...{.-~...&t...q.."..u.VOY}V.~8.<...Q..,.Gq..c.s..0Y...9..u..^..SW...<>9..0;....C...&.8..._...Sg.....q.....W............&L....t..\.....J...2*XG.h&.+.....U0..r...I..F..}/...a&....".~.....X.............$P$.F.....vb..B..P.h...s$s............W..P......2!S...d.xB.d.!..[..d.d......?&0!..r.BS..n..8..O.\.GO.?...Z.rT].y2Aup.2.q.....C.xG....J.C)....v.JB ..i..I......g.=SI..D...]........30'....@.\..g.d......7L.W&...4....v......n.NI.QV ?p..%...(.>T%.:...,d.....V...@.......3..[.T....NS.wC.E[.......$.c.~R.D..5......zp.E....zUo.>.......P..8>..!.u.._...6.a..h`..D.F.......(.......d.~.^I...R}T..>.!..>....{!9..>.5e|....g.L.S.*..c.....8t*Vk .......:.....-..../

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):22468
        Entropy (8bit):7.99142795523207
        Encrypted:true
        SSDEEP:384:I1z1s4uDgEaP0dOUpIcImHs4+ORJUd3/1hlz5Y9yswcib1hwaOcwvIv5:WJucV4OUpIcIosM7MhwLC
        MD5:B04B22166092C3030F1E736AEB0F547F
        SHA1:9F0BC85FE69D20C221265254853EDEA22AAF8F2B
        SHA-256:D5D41CBE30234FAA3303F656EB14C46DBA0E793CA8C542FA95AEAE61EC69CE8D
        SHA-512:054CBE9036E40C6039D6372C336CDAA7F2B5B7BD68CDA731FC7CF8AE595A2DBDD333DAC927A2D5EE3DC0E52312F4E9BF55851CCA378B9C96E5166C160B053B85
        Malicious:true
        Reputation:unknown
        Preview:.w..XI.*...G+.A.9.....'.N#..g.7...+.m..@B.3f.KlRR.Qa>..:.w.@.....+.U..}........q.&c9F#..T.D....qB..E.P...).\a.N..}.....H...A...'..?~J...\%CY?...>s..t.N$'....!R...y.6/c.....0.w.d...".].X.......y....<l......V.B.~.|..O9....sW...B.k+kfi......S0.=. ./..C.]..2?....h...Q..c.G.E.:..D...+._.`R\..<.-.....|<.@%...K..n..t.8.I..(..........<z..].#..u!.o%.....y..e..)<+t..DG..CG.#.r.{..Z..>R...Z.UD.E..V.e..;....X. ..c........4_^...Su..S#.}.*WP.`N.^......=.../_...u..L..4.".#6x.hO.^<ns' .A...z...ip.o..z...k..q`a..........B.=l..e.jps#._.s..tTM..2d. ...Z..#...!e.K...7.O"...mf/...#..F.OY......H..k6.`&./.....I..H.K.dtK....c..v'....".4.........wON........#@...#G..B..I'T$...#Z..#...*."~.@....w.........UI.0.Db..*@..t..Z.2G%.n........W..}.%C.R.Ym.....d......~...b.T..aS..R.?.H.X.$3....,.D..C^.l .O~...._..q`|.......b..}nd......u.q........e....?s...O.!..q.....X_.Z......K<.-.................o..}..>#..4)5li.~\.y..5..u..d..}..v%.0}.......e....`n..;lb1..$8.....+..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Media.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):18738
        Entropy (8bit):7.99013696846491
        Encrypted:true
        SSDEEP:384:/YkU1BRcxI5YHxc+NEtCxSXB3OoqlQ3NDLLQ2A/QngoIEuf+O:/YkkIVHxOtMGTdvLQ2A/SxIEuGO
        MD5:8F7D0E6119C3BCC6011FB7D802A94333
        SHA1:1F70ADA90CB03A8FA343D74E59D8F68750333947
        SHA-256:DBF2D2A9C99F95617912144497F2A35DC5F2ACDD29C5EDD9D9FF7759DA6004AD
        SHA-512:E8929D779976C675DA3EE73FE53F71A7D83D80B1CE462DE407D74A2217AC943DF313D422E60B59E6DEB0E40009214B0531812915FF3D36EFF0F60328D6678FF7
        Malicious:true
        Reputation:unknown
        Preview:..K\...%....3i.....Cb(.6s.@.S........i|...!..Y..X]..*R$u.s6.w......HI.E4Q..8.37...*ywF.....#....].2..CEW..z.K..5.6.Us.Jw..G......^.L.?...v.......(c.w.......#=.x`..;.1...8....{P...).rj..C*..u3.`.1..[,..}C......>R.JGd.....IL...U........K.+....Vp.vrbuS..NU'.9@ju.k}$.......u4.. ...mA.%e..A....C.8.29.GQx..,.W.....+#5...6.W..S..n........j....k.#M.........zi....'..I....V\./X.../..Cqo..dP...bB"....v..T.v.tJ...AW..zr......U.:..*:....[.-o.y..-....q.{.....6.Z...9Z...........d..?..6...[;".-....-r.|.S.[.*...J....,...q.:..D...e}5...79...P<rX..8.....$.....K....&.^.].q.a...l<y..l.H.E....$...\.W...$..X.GPoJ.R&........vVa4..hhS[1.<.*..HS.R]V..v.U...O.)....C~FS.)2.5.\...G...c.K...i....T.c...}3L....%.K.0.5Pg....q..{....?.$S.K./_.....C......<J!|..Ji+......;V....-ZX.@...ZC.7}...8..@9WH...m...-_..|t.P3,zlN...t.I..H.@../i...=.K7....T..</.v...Y...%...6](.B...jm.O.n.......~.p.}e.].h<&.)....\M.}s..N$......A..`........`8.../.hOc....r...=8.#.......GH.y.SE....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):19884
        Entropy (8bit):7.99044546576082
        Encrypted:true
        SSDEEP:384:eXFpqoQYikdSAt7H87y0VD+zRG1rWQyPe2Xm8uQQWu72Yy/sD7px5X9Yttw6P1T:nuHZHNRTrPe2WWQWcVykXStw+T
        MD5:F8B0442B391F8E341EFB4555A886D8D5
        SHA1:8C06AB21F2DF340DA526CC0A5838108A80E50066
        SHA-256:4AA701C3F88D298D6356AFE8DA76AD09C8879BB257D9B5C290BC93654FA8F6D9
        SHA-512:233D76EC39046667891E54949211B36C9650BF2F866E7883CB0166D1292FA058F352ADD21C176406635E73F1D2151CA3DC20EEC5CFE85238252BBFB51E23C452
        Malicious:true
        Reputation:unknown
        Preview:......-...<r.D....B...A..J..wP.....r...=..X;..^$b&<..0...x..g...#.X|&H...8.7:...(>......aT.!.}......R..@..l..........*../7..otD..h...+.[...y.y.k...V.e.....Z. .<....r..<YN..f&.r..}.1)..L..6.5.d.......8.....m.{.."5...|A....BCn.^...|.2.e.-..!q..4..7...w..N.&B.....oN..fS.. .>!.o...X'_w_.RE^..:.........X.r...r...p...5..)..W.@D.'.E.Eo.E..0p.Qu#..]....}'..rD...R.OuV.|.0.]._.#...!.......X..l...I... A..M.;2}..J$'5...<...l...rx.{He.B..Y..!Y.l......Y..C..]...2.jU@..1...,.P.k.x&...`O.M.4h.!)K.......XW.!.\....hP..U...<lv.}..r...H.._h:..wt.<./W.@....q......H..2[..o..~VX..N.p..p..K...=.....#0V[....o.i.LC>...>.-4..y..q.........E:.d.[.]....C..C.b..c.s...c........?...9..j-.....=h$....28..........i.j...93N. ..G..m`7.U.[.m...6........u....`..\<.....w.x.HJ....3...i.(..'.,c/.=........6....G,..I...:x[OQ.......Y[.."=.<PY..E..p.....Q>m...g.2....,u2j.~3..r.)...>c.....Yx....Nh`R..O...JT...ZS...!T...Z2...wT..z.....!y]...6.....E..^.o.T.y8..G..~..@..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):22037
        Entropy (8bit):7.9911950934734035
        Encrypted:true
        SSDEEP:384:1IH1rdW2ZGsdxhsjT7XqNT/PCm7+61oJSdISBMYS4epW3V7jMxfXRFiBNc:UJB+dyNIwHmk3V72/RGW
        MD5:8F6AF05A8AAB0B01D231CD099A1A225A
        SHA1:1F9BB3799F3711E6D4E0007F70459407C923E94B
        SHA-256:AA54387BAA72EC65F1D754DD8AEB4C5B80AB277A0E54E80991AD17A2BFC267C2
        SHA-512:9E6819AAE9DA2B9F5FA4B12DD3F5C97BFBBAF06E0A653F0D4C9B56EFDA003E1A4B758BEB38AE515618AD94B804AC4E8F71193E54420E89CFCD41E177F65BDDED
        Malicious:true
        Reputation:unknown
        Preview:.A.Q.....Z...E..o.....se.[.*....].....j..}p.LZ.@..f}..\..}O....WVV@....7.d..C.Us8R..Y...#Y'..n....''...(l.H\zL...R.m.4..cNK.02..4...`.QD-m...HZ.....z|mI\.L....y......<=\[.+.p.T.b.........S.w.*..$5...c......mx.D.M.........[......H..'.n.v.C..w..{..};._Y.j..D..y...M.r..e9./..f.|."$........".......m.^F.m.......p82..}.[}L.Ur.<..jyA[x..9m.G..X..q...!#.}...Vm;)..(oC.w..+..y.hc.$J...|!........#Q...bo.M.y.d.G..<u.IN...._.(...........b.E":....z@......<..w...V....!...2.K..]...A.PDeK......W...-...m.<0....?.......q..#x.%.w......(.....@.<.2.vcQ.I.+....u..y.g@4..C...F89.%."..R12#z.<^.s.4m....c..?1....+3...r.. .4=bXl .4.f........V].;..#..+ .Z..u..K.".E..T...I...."._...u~.G..[.a.A...".q.HB.Z:sYUn...j...9..3....d....b..A.;.t6".x`.......Z.=}.Na..;.9.?j.I...W.:.1.n}..7F.x+i8..T.*Yd.P..h......v.pm......N....6.,..N|...im*...\;.;..U...xG.=g.~.Y...m$.;...1.f+...).".p.I...g..........Cy.n..}Z..2zN.7.&h=......N....+rO.W`Qo`..}.&...\;"..>..........q.+o...5...c....rL.....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):40452
        Entropy (8bit):7.994863047317422
        Encrypted:true
        SSDEEP:768:nTHTeOe/weXbgDfKFGd/cdUpzq1QFaL/LqjKmtHJxflQzkD2oox1DSSfYks2:nrWHbMd/OMm1QrBDx9kkLofSW5s2
        MD5:3A0ADBFADBA2AE3CAA7B274DA242D59F
        SHA1:871E22FFFADF30832852FFBFEB2F505F0BC94D83
        SHA-256:C9808A0D8CF2EC96E467F5B3BC15C961D953D1E70D6847F789756D0967DDCEB7
        SHA-512:C17C791215C50ADFB00ECE2C193EF8FF387AD33E33933FDD2188866F03E04E488D950C40B415B98AFE9E04E5AE45CC056601876845DFBD6D45AE7A124DD6E7B9
        Malicious:true
        Reputation:unknown
        Preview:j..n..~E....&r...c....c....O...J.;.t.5...&.KI..me..gR-...#.....W..H...aK...>5...c.?u^q.......3L..5.+_OB..zk......xi.> ..........#&.....{.B..^A .iA.Qn.+..i..Dw.0..d?.Im...q.........Y...\z.[.O..`..._lh...0.a.+o&.I.......#q...:E..0.....H/....n.'.K.i"...,qLLJDz..T.^=P..i.R0..C..I.w.g.^...M..b*#ip..<. 9q..n.q...BR..}P.n....1%...&T.x.n..........D......E...d@-.w4.u.......I.FhJ;$.G....(. ..3M.D0.....r.....$UN..3.....M....%...5.B.....;n|..NH...!....*O./m......c.DNxa.....P..'..#5.[......"C.@.S.....]^.....!*l.)..Og.@.u......F..6.q..3RGu.5n..X.l.J...#..C....a.."......H..oe..P.%[R....3...;....C.8.V.+....GI ...b....f?g].p....]...y.\,|.@EXo.V(d.YL]SK.V.g..Ea.W.$..:.LD.T..Y...h$D_...Z....*8".H..N.2......".......O..fA..B...XPVF..C....Pz.r....g.../.Z.Nc1.6.Se.....=v../?....!..h.........I..s.Y.<...y.......-..;......._......kl.. .%R..5<..K.....]<..PER...l.f..l...S.m>.NCn...]...aZ.Z.".$.._yG.L,...g..=.F].P%.Q..w6..[j.!V9bL...>v.(v.r..7Z.[.m.~3..h`o4.v.{C../.M.S`.2.G._.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):32384
        Entropy (8bit):7.993003159264439
        Encrypted:true
        SSDEEP:384:dgdVsl5/XOovznh3GQ0b+0A4oMui/+yg9fft5mOaJTvQ/NIAjhsBVXsOk/VxU3+J:OVaXph3GQ0bFAJSGhNU613KVX6dxU89
        MD5:DC60201BC7BED4140F79428998775974
        SHA1:8F97A18DBAAA9921ACE3539159E1AE3896BBDB12
        SHA-256:A8987F74366447E10E11DE0D97778F888EC62A2996268B3118E4C058CFEB7D10
        SHA-512:D018511FED6B08A40A9C634DD292960AB5B76A18AD380DEE629B199B4FE9291BB604D46D4408DA620C6011C12323BC4567EDE96117D62A9E9F47054AE713906E
        Malicious:true
        Reputation:unknown
        Preview:.... C.y..............P6..._.S32...`2.....L...C...........D;"....x....YYK?..o.=...z.....A@......zx...T.?!~oS....9w{..%%..@b.:....t6.....iW(.X.g.'..r.$.#.....m.PHPzJ6h39...~1ld.C..+....$..b[.#.".K.J[.dA..kQ:.x...]._.#My..7.1..c....V.."E..kwek.!.XJ._..W.LBr.(.Qh..?R.g<Q.HnUy..ogw..t.0.A..W.&)..m......8..T.;.8.K.Pd.5X........Q.47..e..!jO...~ii|. A.l.|......d..R...DS....$K.sp..0....B..Cp..M21......&..P-.L..p.5..zSa{*.Q..&.-'..=.p..vq....f6{..a......p..O..p.X....&v7.Uh;j.,..N=...Ar.......h.{...F..?.,.'...@.v..b.ZNc.'H..Vq..9...>.s.Z.]..i.]...{Z..T.F..f8ny....s..;.){..Qv...a.L.%..X...P'9..3...v...U........G..\^.s..4..A.`.FQ.R.%..<.]...o...I.z$]..7...k2...x..5.f.......E...M&Zy...wL:.n.....)..3s:.=.d't.\.p.A...J....HE.......p.U....,..A.....J...}.....O..S.\}8.I..".p..^.I.b._n.U..!..*..2Y.nx.*5x..{....|'.Z..H`;..rl.... ..3h.p@!;\:....ao....J*......d*..k.;".!.0V...'.....U......Y.......Py..............l....9.x..*....;.....L........P[`..<@.)C..D

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\accessparts.xml

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):1126677
        Entropy (8bit):7.984197566594842
        Encrypted:false
        SSDEEP:12288:rHhfAhACqcTqk/4WIJaLSeC7Qcxa8BInabuHh/3476xZjZzMHF7NDng0k8atN1aD:ZcsbMoChriBt
        MD5:7D41479623BD065CBDA90C22E9E1093F
        SHA1:16D1B2EB02E6C931029024F0C2EF774A6A61518D
        SHA-256:70D179B1E1385AD49F230D9E23FAA6BA98017BA0D42E7521C2BA9BFBC78BA9FB
        SHA-512:5C0DCDE1BB008C2680F7FB1078560EC0F11CFB5CB14801B9980B9A0D86CAF5663AB85A0CE854107F5CDC005521E98714EE3E3813C7EA1E20DE25C80044518F50
        Malicious:false
        Reputation:unknown
        Preview:...6q>t0Z.*..^_.{.....`.{\......f....#p...X.......K...-spMc...9......&n5(2i./.V.M.S...~.v...$.........\...x.M^...c.m[.<:~7..........Z.P.m6.g...p^...[P...y.....'o..}._p..8O...&.......x..!K..(..^Y.:....a8$y.De..}...Pf.2.........uj.r....Y.....2M....K.u.X.0...xTm.x..z...t.LJ.......W<....f........v|.1....B.D.7}.^..#6.H....A....47.+.....LO0.H..e....(.E....0.(..U...M.1k.6eh.e..L..R..\^.Y..9%.|.....>.pcN........Q..G.......g.9M......#.vV.^:..P>.E..8....9R....{.....Z.......,...{..nG.R.#.o.\.....3..O.._d.~.....f-..T.;..f.....K.Zq.L..WLnp:.@...:v\....XE.....y`...>..U.j..$.h..BS.D}...g....~...`..o*....&.....(%..vq&.....T....g.M.f... z./...L.c.}.V..)...7.#..........v...s.......l.>1..@.5D......J.Y...6..-^....M...p..e...E&.....S.S...............N+..j..O$.........LA6.Y..=...n0.e.SuF.H..7..)Mp..7VE.-..?..t..mW.4Z...B.~f}....pK........Oz.}.iS......=....y/k..?."l<..9-..HP..P.........\.6Di.0..........3..-K....lz.&.8..h..\.#..bQ...~....P....... ........L..3...2..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):200721
        Entropy (8bit):7.99906272624114
        Encrypted:true
        SSDEEP:3072:+uYi/Tq7giJ67EqIDlyIbkbJHOYJ5gwiv8cmTllaJOUGEyTzg36hSqdFlB:+02sp7kD7g54wo8cEllfURgtfB
        MD5:2061501141E94DADD725351A1CD1C7D6
        SHA1:794B21C61D4211E3363FDB3B5D487EE546F97300
        SHA-256:8DD7BC178E1B7E39CB484D62E3E07125FAC7FD7B94803E02F83D420C656CB3BA
        SHA-512:E597E34B6AC43681DFA778CEE124344A76D89693C0AFF193F0C4FB081FFAD0B463E539623AC3323FAD6C48F5B29E4F4DB46CEDBAFF5F09C41A0AFA4E1822A63F
        Malicious:true
        Reputation:unknown
        Preview:g..=..s.0.{z..w.4.......SN..x....#F.....M .....a.-.[.9F..e....mW.>...QF}.:....=y(..n..'/#}$........:.....7.B..{.U.....3).D....9*....lCPZi8...i....7.. ....#&../....\6...q~Q..g...%.2.A...w.iRc4Z../....~...D...1......,CE..%..g>s.q.>..s!.=^z.e....1-cp.I..8.D.m.W..YF-WN...t.j.bZ.gl$1......I....e..2S..o.4../Y..UD./Sup..W...Y.I8.r..LH]k.A.z~l].{cEik.).^Q....Ah$F...!F.}E.}.......O/.rC.hA.......M.+...R.2.e..f.Y.....E....-.m|.l....80[o.......B...K...?.E.Q.b...."}...:D...:.\...1U......G....O...Vb.+......L...7l.K.<[")6..|)j...MSc.e'nG.$.H..\........{.@..K.K...P...V... ..g....v?...J./..`..n....8...:..l....G0.<i...L.....-2.csx..r7.....V}....lm.>.;#...........}.>u.......w-..Bb........r..U$....-N...E..y.4...f...#.i..).8.Lw.T..f.......7.a/.......a0o...,...5b.Xj[.V;.m.]12W.4.....J....<..7.W`..U.|.....a.....5...OO..B.Wj...Vu0q'.....4.7.....Q'...n.\.>knd4.UU..W......w..z.RB..........K.........E....?>..-.V...(.1P.,V{..{....I5..V.r...A...]5\.H[..H.......S.c....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):3602105
        Entropy (8bit):7.9997955263625595
        Encrypted:true
        SSDEEP:49152:Ll83YkbdpkEGKNmFTLKTFILomzUlhrOKIyOeQvkbNmMyTC4PUMhhPBEUhV1meJkV:LkkFKkT82LrUlhrPrOeQvkDCUMfPbwP
        MD5:FE1091DBC14CBEC36011111B0D2FC31E
        SHA1:5DAA5369723E7525ED305F65F343DA6377A1CE1F
        SHA-256:572E810FF5D75AC486B615DB55DF939A7073CA69677DB735654E6A75CA2220A3
        SHA-512:3DB0993DEF8AD9EE43377295FBD304A85A681FE45BE05F6CAA289B5A2201A45B48421E69A920350009376C64951B1DFC0084B2E837CBE80A3C17D4E6CDE22D26
        Malicious:true
        Reputation:unknown
        Preview:)..8...qB.jx...M..,.Y.......gV^.y.E.d...A....!.?\.-_V....t.J#$.._O;.&g'...!......<..M|g..*.g.E.....r...".$..;..)..| .Y...N.....<..6..v.K.q.....D.......Z...J8(.'n}._p.}.]...Uc25U.0.l.t4........{.........Z6..c.pv...Z...a...0,x.....F.#!.2?..DT^..R.b....G....y.ye......>:..9.\y..N....AC....Zd.0.....W.@J....j.qw.AEs.p?...8.c..e.6.......y...@`.N|;....dN....2k..z%a}...M.B...6C..~$.WvV..~.VE.MN8..\.......52..HB.J.lI....J)@..n.T`.rxm.,@.k....C.5...L`.!..w....RgC.P%...\*%.j.g...49.g...g...G...w....V.BL.p..1.~'Ni........%M...%2.....[.<.Mu.......BZ.z..>.7..K...;.....=.j...j..q. ...0...d... .9..B-Cd.]7.]G-Fp.*an.....r5............x....(qu..nU..J>.y..&5Q....L.1=..)k.w..dB/......v...h{l..g..k.Op.\...h.l..j.c ..^...7..Z..(xx....xi..p7F.%.,..f%....ak%..>H5wy.S."^D.......<...9.p6vG....$}/:._.C=....D?..5..+W.J....Rc!.........=....'....^.?l.`.H\.-...2z.a!p.M;......L...m..W....."...{...N(...O.....1....Q...zb8i..z.{2....3..H..^L..'..;.Y*.%T.bwF..uU.7U.0

        C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):239085
        Entropy (8bit):7.99919210576713
        Encrypted:true
        SSDEEP:6144:VQQVA1gTy0LLDdJNFGnGdadU0hMvsQRUl9KcYRD:VTA1rKLFYGOUSM7qjw
        MD5:CA0581E8772BB4BA43FA20B7BBACA71E
        SHA1:A287080BB0F5CE999EB2001E51D378D8EDBC113F
        SHA-256:3A7CEA87A7B25543413FD8B571D0157CBCD1EEE6617DB03DB44027AA78B3B296
        SHA-512:B15B6E15793BA3D8BBE02A054DF3D7FC84F9C53891BCFDCFC52BF2B6F2AF7FE1B97FC4EFE4BA15CA13DB38A5BDFE9ED786F65031533624A4DAD5914EDA166C7D
        Malicious:true
        Reputation:unknown
        Preview:c..@9....A.zCq..|..~...T)cx9...sE(.....{.(.B..au.c.n..y..T#..k."...g...^.Z...~.....c...Y....x...@}.n.}q0.Y....L.&..s...hl....I....u.kN...h..8.....p.w....'i`..\..]...;.)..}8=.{.`....5.....H..Z.*....6q..x)i..e.%..xK.e/W..$._....X=QU.......*P..U7 Il.J.....^...F..Y........b#..........e...P..C.(./q.u..|@.............?3.6.ULt..D.+.P.....QZ..z...@....;.5..`....|....BI;......pK........Z.k.y.....U5..V.........._...*}.....#+.v*5.r..Ucyf......N.rp......?.]...c....PQ$1.../.X.xh..f....(..&.."........<..F.U2.._U.E.X......8j3..Yd.8......Zw...F....A.E.{W....6.yG.V..v..H.).5..+V.|..:T..}c..`D.@....~_n.N.+.p..|.....=.87.9cq/6...1..{m..u.hnt4.dU...,...v.V..(.~U.}...J_q.d..........E.u..oW..x......M..[c.|...h.2O<0.....#..&.S.k..._..'_v.ei...S.=|..Z..o..k....qA.`/......p&...nU.X.L.9$X..=G8m...=...V..5;pa.w...Y...P...Y.a...:.yU.k..=.L..r...M/...Ob?.7.."..|.~.eH..\Q.......y.D...}..E.cF...A[.b..9..<......b.+..........4;Czj73b.....x"....<}.}........y.[m-..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):162976
        Entropy (8bit):7.756031453354599
        Encrypted:false
        SSDEEP:3072:ypq33uqrka4cybcbzZDq6TCfXKfPjYbKSs2er/fosDPV6v6V:EakaVycc6Ty63oKSOr/foakiV
        MD5:3C32F0075FD920443A47B81BFE5D14F7
        SHA1:302869504C6C7993D2ACE4E0E9BE8538B55EB4CB
        SHA-256:0874519577B832A9D7DF3069B2005D6D781A3B5609247ADE0312F6852DBF9798
        SHA-512:161538BC40265970A99FE4CEB495B8D920A0F2F7D8DC52AD46A79925C629C8FC9AB288834EB6C22711AFBC99F95A693D1D76360FA71ECDF6FD22716334B98884
        Malicious:false
        Reputation:unknown
        Preview:..3^8v...B...BK...@T@..sy.5lf.......p j..R....U\q.!.e..Z.q..(....g..F/..M^.f..R.%<t.$...(.L.4..U..I..w.uB...`..d._.3.x:.T..H.....A....lJ.cA.$.D.8/.!$h..Tt.N..~?Wy.K...._.0..J..2K]b..\.b4AL.\....g..M..............h*n.m+....R;.O.....-8.}'w..K.9!#.TC..1..U....\.8.6.o...g...e.i....4/..P..N.N......#...-+..ym..CS.p.B.ac...C.f.....<..5.S...RC!@.y.....Q..Z\...4;f.......9...v$.<...j|.o|.\...:%.-o.1.).Q...0.VN......K..G.c..!1..>qW...[u8...Ty.m...8'.XWs..K.......5..~z.80.t....r......A.0d..%..F.E...%.w..t{j..=..m..#.......z.....3..i<...^.....m.l...;(...a.^.5.)V.........R......6......b..e.+]/....}u...5).'.nt.{..O.3..T..l.DI..qjb..t....k.Z..[)...."..o....K....'.o.II....$....|...1.....lY.... ...S.$]o".g ...i/o....P..r....-.wx...>0.7x...........io.*6.....)S.\..:}E.?.!..L..X.."y.J..qnQy......gr6..IO.=`+mM.......7e.h.OB..R$.....<.......C.9..N,1.hN...F^....$@ .U...U.T.....bJ...h...g.{.....(8..]...$..g'..,B..*..."^..q......j.....k.o......[....d.N...{.%6.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):226696
        Entropy (8bit):7.934817737554407
        Encrypted:false
        SSDEEP:6144:NMcSiP6ecMdD5oMxS7ModM6dYTYSrvs5vA0:SczPBT5KBurUSrMo0
        MD5:22AFF8CD86663B6D406CE19439C04178
        SHA1:A325026CA423427AAF38CA383D9C9B2AE0028C46
        SHA-256:EA0036945B9B7FCF65B4951A58FF015D0C865DD60BAAF27692355197605186D1
        SHA-512:A349213FDB67553F82FFC3631D61BE54C1B575A897D093E3E7431C0D3486FBCD0E92EDBFA79BFB7F876FA63DB4775DD1566F196C9050FF5824FD056D6973A8A5
        Malicious:false
        Reputation:unknown
        Preview:.......n.. r...N..fs.s5&.R......?.H..J.w.i.z...i$\1b'9.dl>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k.>...l..Sc..E.>k..D..t.U..D!#KY.!...H..'..$j..w.rv.Q..p...o\WV.-...k.,&.5.b...3.....p.'.4y.m:c.z..W...o.N..5...m1.]).S*)a...D<|G:/....a.....0.1..@l...".<.)..6..L.b.U.....?...p.@....;...vq!~p.F.."w.!9..~..G..}..Pa.<.W....1........_....I.!.K..u...H5...."j.}@..9o..D..".kTE..p.....4h.q...9..#..x.0..%.:&#....k..$....S=.......W........w.....F\.a..P......>.."....6...v.1.X..l..$..Gb.0:Jv. ....~ ..v.wdF.'.\.urc.=k...&.wk..r..7..n.'*S.(.b.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):221455
        Entropy (8bit):7.86301874584872
        Encrypted:false
        SSDEEP:6144:FFIGE7BD7VdcGxr7frpn+mGsEphaBNdjpQ:FFIRl5dcGxrLgm+6n1+
        MD5:2C50A8EEDDA092FE5C65186A29EDE552
        SHA1:6B374840090CF50BAB4C14A735E72269753E5AC0
        SHA-256:9E446F08E8ABDA263EEB8C8805AB27AF4E70DC5B52AD6E89C39D62CF20590998
        SHA-512:8F6D129B8FFFDFB8CA5D52EEC65F6205D3CCEED765B9B5E0CEEF7B0D1D1024DC76AB7E852FD6F4C946EAC9C87CC597F3E903E5B5059710DC18E49C100B8E7606
        Malicious:false
        Reputation:unknown
        Preview:.S.;.U>......;...fS...$4.....x..x........H7.....R...,....`.....,.auG.._@1...F..hJ..D.7..[B(.u.[Q...].u19:7....F.F\.9.7...r..1o..g.(Bz.U.Z..@.....I..H...)bH.O...9Q...Y7..n...+.....#...v..O........qE@...O...........?Y..Q..g.].c...F/~..&..(...z_!....Eg.xe.$[..lW....P.#..sD.H.5.X.X....@R..kQ@.(..{3..M.R....a......C.L...X.....%}.j.:..R...E.jg2.....!.l,.9A.#BA"vC~...>&......K.D.7{./..E..|.&y.3...LR...i..O....zV..kN......&.d..d/....X.....m.<..!.y...:B..V...I..E.....=..._..w....ya.0.dMz.d:?v.N.*....3.0.. ...m4..d...1O.@4.(sZ.t..q.) w./.O...6.x.6&X..#RE8.....s-...F..n\@.n.b.C.9;.:n..L..K.b.!.....D....5R. .V^V..m...p...5..s.......`q...../$...q|e<.qG...d.._..T.........p0..."6.k...x........%.b......g=..4w#.....v..".9.+.=.Y,L..S.f.>.NkuU...^4#..J...5HJ........x.%9....2...c..pI..`..DV..3[\.h.T...".B\..IB..o.Z9...D...5.....I.z.....5]^.].>..^....s.....]..q...x....Z.?xr.o1.q..^..ts....L..............I.."N.v.....fM....0:4...rtNo...K_...&......Si.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:OpenPGP Public Key
        Category:dropped
        Size (bytes):18640
        Entropy (8bit):7.917196297236861
        Encrypted:false
        SSDEEP:384:PhZ5coQlKkMvRMbtL+fwCovo1jtw+9a1WiIFDKRxS:ZTQ0kMJMRLW0o1jL9a1gsS
        MD5:A25F43D3224EBC013A1E53FC7BCA82C0
        SHA1:25E057B311AE9AD0183EB95CD1BA1106C8821CA6
        SHA-256:76B407947F44502B1D0263B9C9B3F2B1CFC818920841C47A5C239AF7B23B80E0
        SHA-512:60BE88B406E00D9D1FCDB3FC4C72AA2FADEF89716B27496969161EF729163373AA1EE7F3F494ADA2C81397D1AAB62EE0B04D24F245C76498612E2AAB1E9A5CAA
        Malicious:false
        Reputation:unknown
        Preview:.d....z.pl7r............E.......)A/.r........a.x.F...s...A...2...U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L........U.0c=..L.....Gr.......[j.0._e...q.....,....z.......no.....**....K..&,.{YL...G'......o.....xt(h.h. sip:j.]..e....e....>u........]....%.S!L|.BU`..+p.T....]..B..2.....x.k`L(~<s..s'..#9...*.6.O.%...k...{.7.h'.3E...O...39....H*..#...h...b..5.3.....I?X...e.u}....D.9KA.mVz.B..P....&W.a..UO...:"...#e..Kj...L>v`..6..7>.w.)f.o.yZ.q..=....:..$M=c....!..^....H...O.N2u.Z...3..8I.Q.6dD.d.d..............i. p..r3..n.2...R2...g. .c....~..BA%..I.?t&;EfF.^.6...9..Q.....]\.C..F1..a.[\;.h....k.......<V.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):15173
        Entropy (8bit):7.987061920962947
        Encrypted:false
        SSDEEP:192:JfDb3d2pTvzrZkCKql3vOiBY+xWRugXv6L6Uxn9d68WsaS4+iLcP5575buE1FvK0:t3EFNk5iLWRug/6LXxn68Wsa7KL756Ef
        MD5:C147CF179F86307BF45513A5D28222E6
        SHA1:49698AF053D2502EF182F16865378A190FE17466
        SHA-256:9AED5467893947F97A1AD22E583B376EF9EEF18049DC847B64FBDCBC095AC92A
        SHA-512:60CEA65E388D1784FF4A5BA161A7D3BA54CD73A3934CC64955FCB495EB6A4FD74650955D21F9F684DF95872EE4988D8E233DA3644268B6F76BAE0BAA781103BF
        Malicious:false
        Reputation:unknown
        Preview:..'........._.9..{....i....n....b.mX...!'...*....|.>H...-C.4v..........j.....)>...S3.A.9...........[....5.x.t... 0...$..5..!..a....f.6.#..of...w.1..y..l%!ds..:...m..+...m.@v..(..>,......Z...<.[..e..B.....r)a.e....o..._1....Y..}....+p....0(....A..zZ.uf...:.....N.|4..Su6.T.E]b...v...$>;....Tw..L.%e=....Z...*..vQ4..K...i..."..1.#.x.].b......+OW.4.7......M......>.$.}\...e...P..FQ5......v...Xw...G./k/t..%/.>...I%...Jh...c+.I$.I..I..<..'..(:...%7.F..$,..........c..0...PU.6,7....M.!X^.0..0........D.....]X.p..{3[.n"T|Uq....{...U$.q........9.T:.Q.L.b...*..b.Ki$C-.}!eO6..G7.\4.!.It.&P...1...1....^P.._)...*..ud.S.X.7.....A..1F.p5R%`/@c.O...'...v..>......Y......9L.}.....YL-....7..y.._.s<c..Q.%..v....o..<l..Bb..[L..0.........[K...,0.Z.Ht.4)K!.Bp..p;........vM#/..*..z...<;W...(Tg`........x{MvY((B..l..r....Z..>./....r?....1k.hZO..(....aD...?A\..~l....H.L.2V...I$i........./w.Y.........q.......6...(.x...#...$..nW...i.My.<9..x....gU6........d....F..H"U.._..h.k.O

        C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):29614
        Entropy (8bit):7.851754424096338
        Encrypted:false
        SSDEEP:384:7JC7trxdhiG6/8q4khSzP9RWFiEx/X3f5NfRinJ30LlY+Dhd7cQ9WMQxUO72HqhF:8bhij/FhS79Rs3R2vQqU2hd
        MD5:6A303A81579E0AD051A7F4486697AF89
        SHA1:78FC06351D2E6017FB7BE4D07EF5566F1CDFF411
        SHA-256:A4FB2C32D67C3BDC7C6546A3DD770A40F78CF38A433C1E911CF4943A9712CDB4
        SHA-512:E236CA7FCCC5244DE61978A1562CC1E39B8DBCD7108E8C89AC69C804844AA995474E2B35EC257187E5B2EBC49B85D2D75B0C2565E8B9BBB14D3CA7313A9E8CC8
        Malicious:false
        Reputation:unknown
        Preview:h.....U&..."._.h..!m......G...._.p.R.Y.e... p"iO....Xs..*z..ls...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..s...R.,2..f.N..n...+.\.(L....ompe.jgh.Z...@t.?.#..6.n. ...w1.G..z#.7S..PvW7...9.....*.|...I...?.P.&....[pz}.t....P.Rw..1..wBx.......Z.T.^..j.R&."....dY..[....P`.B+Y.......A].Z."J[..;E2G+........8F\.C...I.....8..#...e..D.E....m.k..K..-Z?G..$.....O.k..0~y.Vs..t.... .o_..h..sB...`v>..Hp..2%...<h.T@..x.U%.-.'&.`#g.....2.O...X.n.(..w.x...h.dY+c.~...ca.7.=..h.....!.Cr.]...:*>; ..xK.{.m? @...c..?..P...y.Es..k...( PJ.......B....-.|...R..)..B +F1V&8.t.........r/...=P.y. ......vN....2.C..-;....]

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ChronologicalLetter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):57464
        Entropy (8bit):7.971664133966676
        Encrypted:false
        SSDEEP:1536:DdwpvCd42QxdO6QqMRrfrTYKddPyRwyKBXx+MHizpETheXEz8Vgm:xAvCh16QWKjF+6iCkNVgm
        MD5:31DB21E107763787ADE99DD125CFD5B1
        SHA1:9B3D3A82FB60BE7C04465EBCF6EFDA8B0E4358E5
        SHA-256:421B834FBF4D5F62D9B038ED3D2ECF8F4AA3C269075F4EB8791A5DEFA182ECB4
        SHA-512:C68FD38714861C6ADF63171CB86FFFBE4C2C3E5BBF1CC5D446CE0060226943D7F34384E1DA74257646F44F7B18BB73D3E3146CF114CF9B0C6D7A4D70FBA0F943
        Malicious:false
        Reputation:unknown
        Preview:cA.;.Q.^G...'.O..)..i......z...)...>..*....Y.....a:.)..Q........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s...........R...s.......;lU..~...W.....3.......s..F\.H..Dv...,...Pw...Yv..]...~..].b..H^.._Z.U..o.\...Z.......St4...&.....r...n#....O9...._...E...#..T...<).r.9... ......eD].i.^....`C._.<7 ;$\+.x...^....gS.@=.._....y.wB.....i...)...'............*..V....a.0.E...h_....kV].(^d.}Rm...........^..mRb_aP.#.3...I....&..kj..>H..5.....|.9.u......m*.^"..;....8.{n.X...$H.....4*.....a...VNo*.O.a 0...LG.7oP(.tg_Kz,.0.KB.F~O.-..tY.;..!.Q<....../,k_....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ChronologicalResume.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):72617
        Entropy (8bit):7.980658279658984
        Encrypted:false
        SSDEEP:1536:rhbFUXMkUhTw5aLKKAznoEVWbPa5sIAvrA3u:rh2XBE+ZY91
        MD5:46DDF5469137F7C7740FCDA755E7D6C8
        SHA1:FFD358B7BB4DDF1674694B83BD916806E711D1F9
        SHA-256:CB2E69C0CAB3B7C016258BEEC1057A692BF51D6E04AF06EBAF9A9E6A1D709DD1
        SHA-512:8F5497CC761DEE6E7BF0C923B4B96EC342A96F8F756F892B75EC73F77D6BD33671DDBCC5C24D2BADFE5D4491F0FD48F83886462599FA3054B02245969495B715
        Malicious:false
        Reputation:unknown
        Preview:.L.uO...}..&....6..N..x....N..L...r...@..K....Nk.'..L...!...c......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a......z.i.+...a&..uS....I..Wr...m..8..=.M2.....82N.k........H...#..,U.../..J..R.-.7..a.~+..jxO#S...._.0M4.?5.y.wm....m....9;V..T.V.l.{..x.#B..."....V....dL..v...j.J.....W..B....t?.]R. ^.BK..r.}D/..aq3I%..M.3.s.....FC.&.+.o....t.4..[N..K...*].G!ZU..?w*...d.u.k.^.f..rk...w.i......RX.g6...U[...e.....K-.X...q..~[..8$.........^&......y^aA.....6...8..9..-."k#....i..+.;....4%..r...%..nY|e...6,zk.^..zj]ek.0..k.k|T2..ya...A.4..A.T..........-Yuj.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):1201440
        Entropy (8bit):7.999597507993971
        Encrypted:true
        SSDEEP:24576:cX3xPpr8AXUwnj/3aseFGySG/1d9X+pX5Bk6E+tIc+gBk9+OC:AxnXzr3a7GQ/X5+K3+Di9PC
        MD5:4614605D28E2F10B6D50B06E6EBCD3D4
        SHA1:FED5DF5F788B234DBC96A60EF5581E353AB55756
        SHA-256:DA7FE250DFC02D16B1D98CA80DE5957DE9A7627B9E3533078133B32C9BF264BA
        SHA-512:C2C980CE36825C1D76B2D5154808C50ED1E644E79002F54B98EE67C1969596FC53903C32FE9700E7DB16ABF6748C8C9EB2FDB1AB3A5D8C28E32A098CB19D27E1
        Malicious:true
        Reputation:unknown
        Preview:..&..Q._b$..K.p;h./...|...1......G..U..g.u...t.=+.0-|...{...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G...a..=....n.G.....=..-O.EvZR.J.e...8.`..;.b..h.....=U8.e..}q.O..y./..ra.-...0p.E..y../.y.u].U.Ww*l)7..".W..n.........C..v....=i.Ts....?.,y......fKx...Z....?.....@gT$..."..Jh..Bqo6.~..'r.6.>8.......s>..^Y3PNtA.i.bd..l...LSD....n..d..u......H.z}.....0.lZ..?O.,(.'Y..?..Ff.L,...=*.D...3H!.1.Z.<.$...2._..<*........#,Y..*.7.#.,:JRJ.X..|T.....Q2.M;...../G?....nefmy...-..s......qr.........M.......j.m&.0..?.....q..p.,aQ.$;=..Mg4..:*..N..d.... _L

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ContemporaryPhotoAlbum.potx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:DOS executable (COM, 0x8C-variant)
        Category:dropped
        Size (bytes):611722
        Entropy (8bit):7.999589396389266
        Encrypted:true
        SSDEEP:12288:sdtOUqICAMYPli0pY0UieAcw7YecTh98L27aakhnT7hF:sdGQbpY0RKkYDShPf
        MD5:EE05A4778C2E48982E3BFA8F815ED027
        SHA1:8F80978AAFABBD5F215F7B41A4F5D0F4FD65D16B
        SHA-256:ADFB09384F79F8092B2DCBEB94960308759E4ADA1B7AE5949B80D20AB2D02A38
        SHA-512:01C48BEDF4E9E6E1915D5DEA85C9C4F675ACAC3F55B3BD6046FC5A3ABB9647F0BD1E775FB303845DDE168F037E32E34E0E06F1F126EFC905D1BB2CD350CBFC02
        Malicious:true
        Reputation:unknown
        Preview:.1..."..#.Ws].;#l.?.z%i....>..0..u.e.e.ZZ..Q..I..&F...2P..%.^.=.....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!....5..5.....+.!..b=..m..Q. ...?8z..(...WQ3.5U...a'.$..Ac...YRD....|`.d2o.."...O.r......n.><.VQ.C.Uc..#....F..{*U....I..Y....v....y...-......Y-.f!_/...v"....\V.-7.....2.t.\.m{...^$n.s.Od..e`.,..%|..}......s.1.J.s....lN..v.ZB....:.G.3.........hT....P....xu.q%...:9..KE].{.....&......-....f?..7........rL...DD.P9I..|n......zy.&..Z.<u..J..../..r...@ch.#..{.1..E.E.#A.{mG.G...3jpF%.'6`b.`NA..H...5.-._F....-<.q........V.U..2.l<^.....8

        C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):124478
        Entropy (8bit):7.998424303825813
        Encrypted:true
        SSDEEP:3072:l/QQAnDj2JxpKp2oMJXRSK850WCdhvUdwoxM30v3:JQQODj2Jxpo2oAO50W4vLgg23
        MD5:B3B70F2C3D0346646FDC442C2E22A95F
        SHA1:74F74F92B9985961D13DE2DA0AE5E772FB1E18CC
        SHA-256:CD316525754FF2C6A02F6E3A8AE22E3B29A7BBC6AD90B99FDBEF2E1F18823D5F
        SHA-512:13E5DDEED8559BBA5C84F07C25B152F373D7B051C5040E423E8B23C0B49BA13F8BBBEA97EBD2130D26A59475C548CEC46E851909F12BEB78141D3855BEE2F323
        Malicious:true
        Reputation:unknown
        Preview:8J.....[{.....e+.-./.w3..*"z..q.z....j......u....d".b\~.R.\.....p.q..#..w;>...Z.y.............%.u. ...rN.ha.g.....1.S.6.l\.Be..K...K."..X..-4_j....y.^<.d*.[.b{..+B./...I....P5F..].*S..T..QYC...8.y5".....rhO.9F.cR.{.WUu.Y..w.7..8?y^}\....\>.~....X..O..,)/.&..w,K..jb...p....PE..8...1..Y.M.%...L..\.g..W.r6.P?.@.....7.-.?.l..)V..+@].di.3.b..tX.[.........[......Ga..?.*R....p`...Z.r.5@..N..Q..t..j....W'.Z..|,s...Z5.-9.......e....K.;.0.7H6R`....K.."Ic:..Y......b.p. /..\.6=.p7]B.s..Y....r.Y d.rI....c.............9..}..Uj.8.r...Q8rn....-...o..T........zT..H.OJ.;o.F..;P<{[f5..V..H..T...s...:..+.....6D..y.p.|&....~..N....c..X.>.T.,......J....9.....,9.F8.qNhh+...A...7{T.c.=J...G...4...L...t...l.*{wbTH.[.!...0.EqG.D.N..A8.2Q*..*..v.G.p.%|EM......J.r\..,[.9.+^........Y1...U.O../......-e......7Z6~:T...:....9[.H..L.... ...4..].O..F...l.3..&...U\..|.i).gI..J.%..L.9..qQ%Z.[.../C.U.73C.S.}k...........a.F...K.mt.I....,...s+bn/R.2..'u.;Bs....!.9

        C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):766193
        Entropy (8bit):7.999794088044307
        Encrypted:true
        SSDEEP:12288:ObGcZVMXpTq++B8D7AQrbY0uH1jeXDES5Xcex2mSKDR0hulqIUhP6pdy:OWTWQ8wuH0DES5j2hKDRfqTb
        MD5:5504BA4C7FD7857EAA56D4A7D93222CF
        SHA1:6A32BC7BDF9CCD8C979628D4D423B7047D5C57A8
        SHA-256:91C8C8DC8682E1727CFFEF0E5C5A8C9D69FF461AA025A6E98039523746AB9EB7
        SHA-512:0AB58E5E7969A8936B0F49EADFFC2322CF508BAAEB816DE67296B69BCE7E40CA664A229CB09CCDD02587F8944D3F1448D14AB43E548341787C9FC4B1B45CB6E0
        Malicious:true
        Reputation:unknown
        Preview:..f..........{,U.,...g.Y.y. ~...vc........5....rL...3k...D.4.......K..z7.....pp:......d.Jb. .:W$.5..H.UW.......(;...C...._..Fd..].=_l..e%e.....]...=..6..z.lxm..@.....kc.Z8...*..p..]g..+D...@.DR.B..iI .....-..Y...FC.l..........~..'.f$...c.,...1....eB."5...O.g....S.x......>]..Y...Fok...^.2V.....].\^........5Z..^;.Q.z.....,..R..@..=T.Ni;jh.jVF.,.1k.....b.`..cTr.$.."_.....f.... .h'...5.x.T[.'...7.[.`.:.Z.nV@R.A.b...sQ./"w..|.tX..y~./.>..?.s.V.....a.T.},..C....q..koe'.p....?..?A....c).y[N.....)i...o.^0..~..._...~..G|'h..j.1~I.D,/..(..g..M.7.s.~...|..]@o:..t.k9..5e..6(......g........L I1j.5..\.sO...<......zUP..|.....;g"..l...|.r-....B.iH...dqJ.?.+.n....83CvA+%..37:Ttg...c..n....~a..!MYuz...9t....Y[.Mb.Y.......!..!M...Z.h~..4.............{.G..XVT[.=)............{[).x......e..C...n*....5....j..t.....Eh.Z.T.>...C.J.Gl..Pc&..k..HEQ....U...j..._;.EYik<..L.<$}3..yA.8..........+.|O.*...i...6.)...7..)..Rh'.........!...\.^5...(..j...`7.a.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):285254
        Entropy (8bit):7.999343555747065
        Encrypted:true
        SSDEEP:6144:twMlglFjVKDUAqgbZn8PvDJ9boZlySSqAppX7MVyLGO/u:RaJOUAqgbZ8DJ54XU17va+u
        MD5:8D37A4B0D999645E36AC9A617B4B2C81
        SHA1:6908D76AE3EE1B4A613C5082A618E6EA7F6699F2
        SHA-256:C92BAABA85E8CB2CBCA6924906930CD5484C7FCAC4FCDEE5E24157220EF8AB98
        SHA-512:8C93ADF9FD3E3CB5ACA15992C388C42454E4B59FEE37CA2749599E0BE43FC29B064747575D09629980CB8105841716A3B75482D11A3FA8F4140DD51A422F9659
        Malicious:true
        Reputation:unknown
        Preview:.5Y...ww.M..........6-.....]a..l6.O.......^......s.U.Ir.Q.....4.O....R.......=.\...3.#.P(q....J..'....{Ar.T...f...0U.u.a8.....p..df.L&k...V.yu..`..[....9%..U.&.........#E.!1..6....f..<....IL..'2xUV.|n......a......qn....&O:b...=.4w...P....`.#g*...@........R9iP..../v......}.._....,....i"..g>.E.8....:....t.0......\.[~..X...\.a.@".A"....}.-..4lTsH<?T>.F.2..7..F..../..k.BfEY!..G......;.%......*...|._......H...6....GvR...a..0.2Fm..G&..hO.m._[]l(..7........H.......bH..b ,.*E.d{0...b.......7#9... ..UO>.r..<...|...M^....3..n...'.......Kn.{..Y..s..uM..s.DB... .0.!z..y2at...D......dN^.~P....gox.....a........x....L..SZ.t|..d.@m.......Zx.1..b.'>%.....w..X..}...+.......H.O$ c.I.Rm....D...R.M...~q@....TY.%.X.]...L..$,.VB...B.....lN(' ......4.ki.q.Iic.........In.'M....R....-+.. ...;m.p.$..K8XTX..)...o...4.....d.6.L..b.....N..... ~N..&...C!...|....4?!......i....y..6..k..R...kj..[F]..P.....a.Hs...2..P..q.a..K....=../.X.n..z..r...`^...LPP}.>....>..'nF.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):19285
        Entropy (8bit):7.915750745547308
        Encrypted:false
        SSDEEP:384:WbDMBX0aidTHs/wyvoszSYZfyLaA9RT3O+VNlVQoiOw+t7:fiaCLyvoQ0aYzO+hjDh
        MD5:BE82D4FA846CFD5FD852E2D48C1A1621
        SHA1:C0CDCF9CE7E5F13AC24C3EF4E238B75A3EFFF697
        SHA-256:7D46C914D842EE599909BBED48BCAD218E1B2803B07B9550C9D3AC1E50BAF80C
        SHA-512:305F2AC837B7198E89062E019CF5BB29174D8DB424BFD1882303640375B07E934D0021BBC5DB7F4129A0936F0F4A7001E94A389ADF90D9C844397886447A9954
        Malicious:false
        Reputation:unknown
        Preview:..F<.}..L2....[..DQ.=.2.^9..C1.B..L0p..x...h..I.]..d..u.lt..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D..B.U.Q..b.d..D.....}h._.lwx..s.}n.&.>M..uFr.n.l....x.J...i...."......u.p...6..Z..O.pP...X^..n......~..H.H......[.....yr...J..x..gC8:...0.O...c.\.o..1.]l(../..p.1..T..I.!.ZY.../.,V0..|.W..x.o..w...0..\.$v..:.}...:..~...d....|./y.....P.u....n....n.....3....(...-;.I>.....@mT~R$.|..........g..N.).lO...Pi....5?0.t]..^...Ct.....|...W..}..H....rb."T8%..1..... ..w+br<..>.5B..*..w.t..B.!M..Ck....{A..f..tBO.m.L....Ve..D..0.>L>.......Vf.W0+.Z.@...o....-rbu...(...p..L4....H..<.r..-.A*....4.......

        C:\Program Files (x86)\Microsoft Office\Templates\1033\GettingStarted16\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):63401
        Entropy (8bit):7.989984673945993
        Encrypted:false
        SSDEEP:1536:msmOzQxGSw4slp3d2+6g/tQ/VHsf/FdW86G5TipSJvygFg0x:lAGSw1aglIHsf/XW6e+ymgU
        MD5:744CA4F63EC669A48152478CF6C158FD
        SHA1:D2843E5C95EFEB0921078E4BFD3151B3C850508F
        SHA-256:B5A7481E17CA78866128C320040263047A4E3628801745409280A3EB8DBC515D
        SHA-512:5B745BBF191A2CDDDD0B31028713164AEAEAD8761BE24FEBBF9E8E07D7AA639790F15A797185E221869E78CDFF5541F56BCD961E2F17AFD188C2FE792F89A658
        Malicious:false
        Reputation:unknown
        Preview:.....;O..d.uxD.d....U..B....-K[..6.46.|..ko...\.$e..;n....C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l.C2Jm1...).y..l..G.../.Fb@...!9'....N/..g}...T.3Z....C...j.v|..R.s.\.4.....K....*\W12.r..[..q^...S[....H..3RC.g...!...3.}L.W..i.J(.~g..g...'0...C...VEB...96..<,d..}x..:.A..K..Od..y.M...e=.oGr..%.......y...v.....].+#'...*.%2......h.V|..S..D..v..O.I.bKyG..r}.d.w.0&A...z!.;o.y...h...K...>.Z#........o.1.z...S.4..o...52.....z...t..pC..Ue.i..z...C..P..|.......cI.#..]A....,.e~...+.0.7.;\W[.R..~..-..M..].........k..<H.',XX.6Jp.........K.4.....!.-..9..Pc...KF`.......1gV..$.d..xi...@jV....x.C2Jm1...).y..l.C2Jm1..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Notebook Templates\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Notebook Templates\Notebook03.onepkg

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):292440
        Entropy (8bit):7.999296522754797
        Encrypted:true
        SSDEEP:6144:shumMgQC1wExI93tJQPkx+3y0xrcDb/320:NpgQC+F3IkyBcP31
        MD5:E0E6402DE8BB91489B0EB930327FCE2F
        SHA1:0CA01EE6FE028E01B1DB21945C1545718A70A3FB
        SHA-256:00558FD8832C21C9D4C67033050D2CE3290C896C64A66F629561EA45060456B3
        SHA-512:C9984F8B920731930C5DC043A981FE23DC5E3C5CBF6EDD0CB5470DA429F14B03FD9ABBEE09A4396439213CAD757DF93DB178E42D3AAF8FB489173EE1507BBDA9
        Malicious:true
        Reputation:unknown
        Preview:...q.+..!.......j....%....F........(|..;..8.N.........._..1..}\%.@te7.3j...........|....Aj..r.A...(R....._.!cl*l.f..W#L*.0.;e.B.u....I....Dt......&..:.tty}]..]...1.z'..(I...>.N..Ru.._r.w.M.2....T7m.%x.3.Z9..7.'..J!.q.nc...O.).a.2...l.e/..)l.,.>SV..E.....r.........!..........um...F..!..mH.a')"=.-.(>..7...R*..FQ..8.7.......T.}~.4n..u..#..8..4S.PT....sRmQb.q.$.]l'Ie..h-.x....#.)n.@/{.....@B........]...."..B....G.6...C...R.W:/Z.{.e.._..7'..*...7.Z.5j..Tg.f/lM..M..T...2J5....P..;..lq....&e.Vi.F........}3.Ivw.S]..h7:h...$G.%^{."X$.cb.eo5......+...V.0...$d....V..3$.}.3i..-...0.O....2.E&..6.:...-l.`.LE.......N..Kh..=:.MdA.`...v.,.ds...C.F..1g+4.|.l.%.....".g....B.jr...v.a.h..o."yK.J..g.;..Vi...:....c...H.....~.v...O...fR..{...!...w.u.P...C.+.m.DAz.T.c.#..A..........8......k..K..%..3.......3...ch..S..d.a.o...l.&...5r2....L.y@.........8......{....@...PbN.]4...lP..xR...Y.s....:.wS..G..6....l..b..V....R.I.]..K.7Qp.0+........D.L.....c%..mOe._.]..1

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):253448
        Entropy (8bit):7.950012181714727
        Encrypted:false
        SSDEEP:3072:GWElbi+dM/a0LXs+JNWjGKgbukIiOQ/xWQl8bXJTQKyMz0didHGa1:GLlD8a0LbnWjGzvOQ/YLxQKywIi1G0
        MD5:BC97094F8929B2269F86C44154A4A0BE
        SHA1:9661E55052DB619AEA7CFFE84A21264BD8DC5CBB
        SHA-256:DF9C205BCCA7AF69BFC7967358F8AF2AAB6FDC32684F89757214C1AFDBA9B6E3
        SHA-512:FC152BCE340FAD87408F30217A7126B6802CA1EDEB79BDAB3F3F3D2E633C2BAD672193467A10514E221ED0834FCFDE77EB348A5B9468939EA847EFF0E973F435
        Malicious:false
        Reputation:unknown
        Preview:.ZFD.....E.-...:....8.M.3.!...{.. ...2WJ+..M........t.....#...O......7d.\B~...].TTrK....[=..W.0Z....u...7...F...FR.y...5.v.......Z.,f...".....~.2.^.........y.....A.p.....z.W.o.u}/.hj%.1*.....D.Dj.....A...Z........*..p.z...d.U. .4...4H....z.=....0{p>. ...2WJ+..M....,.=:..}.V.w.kA.Qe.Ti8..I..@.. ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ+..M.... ...2WJ

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):177456
        Entropy (8bit):7.312696704760634
        Encrypted:false
        SSDEEP:3072:vcqHsrdG5Pij6n3TxlTpXRRG8JoaYfWPwXYS0i57:vursfxGko
        MD5:B7623DE34502BAC4A85DF680909F6FB1
        SHA1:E81EC3CDE6ABEEB44A42EDB00582E7DD26D526DA
        SHA-256:F69BA8F5C7E8C47A75135C326FCC0709BF8F3096115AFED754B5E16AD901B5E0
        SHA-512:689F23BACF38E2AA27C1247C8AEB12BD104BA05F7F8F12AED22F1777D148076381DFE0B5424081C07D6DA7A7D9FC08F0820D562204FF3B3ED9BE78109F30E297
        Malicious:false
        Reputation:unknown
        Preview:....u..)3(...@.b.:....../.{....=+.....G5x...@+..2._...k.Y9.\.H-.....(~....{.Y.".-.......V.y)..}......&......\.d[....`.q-.|dM...?.S.....K...y../.......S.cJ..x6.H../...`..g$.P..&{.!..d..h.N.....(l...!.B.d.+v.....{...i.7#..?.`.......-O5xu..NBx.=+.....G5x...@i+.6f6HZ|]L..T.V?4{:.C.....Ht...=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....G5x...@=+.....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):321336
        Entropy (8bit):7.900193722169266
        Encrypted:false
        SSDEEP:6144:v8ybdaSDReyqVapYh8KC4dHErCg6Ykh6SHx/xBMII/ab1HsH:v7HMyDpYh8x4dH67Y1xUR/ab1m
        MD5:9DC5A00A9A6663C18C80144C829BF693
        SHA1:A871480A8D8386FB3421A86516AAC0350DAA040A
        SHA-256:BE5CD7AA5A97CDB3370DF75F361B1339368040FC08E3E55B360C0128209212E0
        SHA-512:C153938F99D916C3439DDDE8A18F4AB1CA13DBA7DDF7082361AFC33B46166E46449F724F8DF6DF4B3E80924484578A1482CB8B1ED2672B317340A6BD893A4D12
        Malicious:false
        Reputation:unknown
        Preview:.#Zz..Z)h1)...fm.].].......\..{.8.../.....3)..g.U...!x.....q..<.|...6Yb4].........r.U.....=."C.6S9.i.j...r..d.e.a..u.....A........._......l......K...9.....4.VL.}..fw..5M...8.p....i...h..7.s.b.7O.....94..........-JYHdpl.c.........XZ.......c..)...{.8.../.....3)v......n..p..]......../oQ%.s...3.{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../.....3).{.8.../

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):3245040
        Entropy (8bit):7.970256898538046
        Encrypted:false
        SSDEEP:98304:CeJZomckqTIRyUeAxzgshebu7fjq8D3bu7fjq8D3bCjflbfb9n9C1zEb0bO9C1zK:CuZom8YWAOshebu7fjq8D3bu7fjq8D3S
        MD5:9AA0AA1512BED7E34CF7BBDD673F3DA5
        SHA1:E7032327A24B47E5B0BEE2F8788ACF467A875BFD
        SHA-256:B6DC0CB46CE711F1D5355E593ACE0584176A39B1912CBE430AAE0ECB2CC77D5F
        SHA-512:8CF66CB134D8B21221D5ECBA6AEE974E9196DF0CF67945306D2991A8EF67A3F40BC9120625C140FC74516DAF4D8DF5A48743AB236C1DE631103698DD98EFE5F1
        Malicious:false
        Reputation:unknown
        Preview:k(>ko~~..Uk.g.4;;W.=j......=T.}(9.].9...P..#..W.O|8....Q..#(..f..4.~.=..h..a.IL...t...vp_v.2.mV.Hu:.T...O. .1..~Z...K.....%%..R..{(.k.$....-..K...W.QGzB,.!....N.Y%)...........m..X?..).M......).F....Z.....>.#..B.!.T.|H.,..4do....!......|.....h.6(9.].9...P..#..WMX.3...f.M.....D1.r...&..{.1g.#.(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9...P..#..W(9.].9..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Stationery\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):228440
        Entropy (8bit):7.964840716620225
        Encrypted:false
        SSDEEP:3072:SUZji5Km9ADJqEvrIpk4sAEDydZKuvoZyFXnrwCSLfZm2D8qH49KEARQVikj/l9x:SUEoDJqVpFnFXnrLifo2D8q4aqj/lD
        MD5:A80002F1A56F70DE47F702090B727EF6
        SHA1:6E8684734ABD07C6AD603FE979ABBA11F63CD068
        SHA-256:FDE5C68302C3150BD40301069903F30D74CA54C50C1BB87346AAFBB5164BE891
        SHA-512:EEC50FE19F22F2F58F70A2ABE82754A07F7FE0E7A4A121D6EF130FBF079D8F1D9EBF62F6D8F0340DF60FB4C0073E4454981015274C55EB640FC0E590B28F9067
        Malicious:false
        Reputation:unknown
        Preview:.......o......Xe.\.)..{;..>..r._O..K.k..mG@..NN..R.v.` .=..........=.V..u......4pe.2*......j+...,.".]Kd..A..yox..6..cE.^_y6Ot1....S.E.".....N....9el.E^.5....p...2..g]..=-..5.L.S/U'q=...&.7"*|3...^..b.....I'.XK....O.Z....r.(..b.q...,K....B.._O..K.k..mG@.,x0y...........b.u..e..~...._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k..mG@._O..K.k

        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):27860
        Entropy (8bit):7.9596012454475185
        Encrypted:false
        SSDEEP:768:i1kfnW94wdVc4xdZprGj69O7Q447igb6zm2mULi:xnjw/sOoQ4dHq2BLi
        MD5:E93409EA2F652F5563D2F92F89865496
        SHA1:191FC1B7EB2C1CF22DB07F163EAA619140EFA5EB
        SHA-256:9C447AF7253AA6B1C4BE9AA2777CC769D8B1C009496A9FA942A0D17922D6829F
        SHA-512:B9087486355F0DCCA78B3956AFC94F520C89F8F3982959915AD8DDAD63244CB8CE4FA70016380294F3FB245A86FB9DCA65582C03C8595A335F026A21EB4F4C11
        Malicious:false
        Reputation:unknown
        Preview:Xn...(........e.w..I...X(....3.-.......41.tE..ByAv..f[...wrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...mrj.6.....Q,...m..?.ct.V5....1..w;>...U.e*$tW_..l...Gx.e.)..J.,..2...U...c&....T.P=}P...7Z.@.U.g.6......a5>a...f]d..&.....]'.u.!..J....@....;....|...E,.+......<..h....*...S._9.l;9.J.X.f=(..H^....K....rB.DU4...QB;Y*n...)Em4.L.<.OXV.D%B.eSf..qx..7;lBR...H.P.u..B..M..+. .....:*8..2..R.)..+lU........Q......Y..pI..Lq..!..{.....w.Oy...V/z..TCS....h..x..4.S..._L...d.#. .PC\.A;2.....P...I[.".Z<..Q%.4.Q}..O.$....8|..,I...Q.&E..^..w..]<FM.9.^..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginLetter.Dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):122023
        Entropy (8bit):7.941238193230476
        Encrypted:false
        SSDEEP:1536:h08sUw3pFTZgngtw86UW0bUsuQwCJOst9+keoELGOth7z2ClXRzzZWTV73GhTJ2:h0e4TZAF0ALQcvFGOthP2CRqu2
        MD5:CC986A7F6423F7B0378B5D31997B1FDE
        SHA1:28FBD1BA25D1AFF9DC63870220D94598546D906C
        SHA-256:3861E6B0EBED441ACA8B6864FD260C565069BD1E1A20CAB93FCB21013F4D2BCA
        SHA-512:A34D4E331AD14A9C3A894D3C43CF6DBF2FB99C0D5E577C063F3BFAF91BB954B17F384CB7F8F891ACA0AEF8F78D9AF38BE76A76B21A21881B2D371F7173F58DE4
        Malicious:false
        Reputation:unknown
        Preview:...9..."..3.p<on.SJT~........[.(O........Lv...5.s.^....v..@........b....r%@X|.].OU...|=^..P........v:.c..@....P..........b%.Q.x..#b......lDWj=..}.L[.HA....!'.]m.....Sg.}f..6c...&.P.....j.......J.xYT.. KR.*.M-......l..sst...G$......).~m.....G..M9.0'..<.c^..Y..JP,..qbMpj#L...[]F)..C......*.vV.t....Ht..ODH.&.^..0....l...#kyXE...I..v.b..L....R@.;..~..8.q..8*7.....i...NL..U....$.Lg.2....<.2..^...TWC.U...0......>I.+.P..*..il.A.d....0.x....fR..f"...y#.....4.p....p.P..P.....Bq_...!Q..u....kr........y......."...Z.2.<.B....T.j.lw..m...D6.....zV.....a@..~......={-.p].*...w.Z.@..8P.......f..Q....+...zA.m.9c...B..........o..o|.b......Q}7iR...}.t..|A.........bI.....oM.Fs...[i.jUPY[..1.8.w........FN..K.@G/.e..?....0p....I$...".....f..a....g-.v..o.-.3...:...c..{.J........]r+..a|eA.8..._.....J?....A..!.<^...E.....n......2.0T.y:..+!.$.Hp......(=....P.g.l..q.....B(.0....J.FY......i:.Z....w......S......9A...@.tl........Z...P=.~0/...{.ev....r?.M..43.......

        C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginReport.Dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):368721
        Entropy (8bit):7.969532027489771
        Encrypted:false
        SSDEEP:6144:9NSd1For6dO/xqnYlicc0pC4ESaSnUHfJB4J67co/1a4Cr+XL:YeubnYB1lq/JBG6Ah4Cr+7
        MD5:511AB52772570BE5C998386C9CBD6B77
        SHA1:D31B7F8E4A70FEBEF54AFB9AB9664CB9D2E18301
        SHA-256:7E3171D2C7A5FD88E2A1D723C597D3A81D0C2D3CEB625437F253AEF1FEB21A2A
        SHA-512:6D573F1D08782D98C40846D9138FB6F61D126ACF7C1FC0C5BCCFFE651DE64C734C7AA09436A88447BB5A30C371A5861D062EF529A1EAF79366B344206B648823
        Malicious:false
        Reputation:unknown
        Preview:.(.._....o..a.. ..M.....Jl...x.>.D.........3..79.F..6.4e.u....5U[...M....`..[T.6Q..%...{.......G.......b.ar....V... C|c.\W.~.l#xk.R.\6.R`.......c..A...".".i.z...........vbeX*.."...J1..CX..Hx.nr.p..:.Fo"...*z..$.. g.d.....J.......c.+..z...P.wj..^.n...k.o.b.%.._....`.h:.....y.ID ..R.F..;.:...2...T...O\.B.X.o.8=......u.6..;x..$.&w....K..........(ra..<..ca.......`Ar.F..<P..h....}........#u..._#K...dFqD....$.:.....).T.V..s....Z.CS..../..&Ld......V/..U....SN...K>fX.....4....y..K...C.N...\,.0.gE....gp....K....F+s.%.q..+n.........../..j.S.".,l.93..k).Eu...../.Hj..?....Y.h.+9.2.b<...;`r......s......<....HT/nI)...'..5...-........sJ...........,0t.....k....e....d....#....[..4.pglq`9.....`..6t...........>....$..s..j.(.6.[..}d...L.q..U..[..8lY.r..F.....8......cE..].t...XZ...w>...7.\L4.'.%.h]|jk..$....y. T.)h..12..-....b.!.....J.w.&._..\..>.t..m2L..?.....a~d~7ts.o..3.....3....].7..{B....V..|,....2...?z..o......C.1..[?U...[..5.z...........xJ.;VID..&...t%.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginResume.Dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):138155
        Entropy (8bit):7.953632874321775
        Encrypted:false
        SSDEEP:3072:Q9LjDUiBmeZQwa3m/RPjqw9jTfQPIXMlRXiEOIFgWpxeZSytZJq5Nib:Q9vzB7Z63CRP+ujTfQPIXMlRS0gixeZb
        MD5:A496FA9B7D8D19BDF5B0EFF0057C729C
        SHA1:E718C8222E16B2CE0E060CFDB4BFA09AF99CFDBA
        SHA-256:085EFB2418405085066961C62F825DBA9ED53BDFCC4E64C98C2993F6368CE2F3
        SHA-512:D027D117B5BAC2E6F741B8EC59CD523E5853AF435201A8BC15481A0A74A0CDB1B132BF5FC8C904B0ACA6CD45B3A810A31D59A317056AE4BE1C2B2C49822CE19A
        Malicious:false
        Reputation:unknown
        Preview:}.....C....8q...R.......e@....3...4=.'...h@...........=YE....Wc..?....H.....d.Mk|vT..8.W.~!.<.T.JUq...!......s...y..?t..u...H.3m...k.\..D...D.r,si;...-..50....=...N..$.tR....).U7..u..8..(=...y...(..u.Uq.......?..}...,2.....h..n*.....^2....e.a.......f......^.......N...`...-...nO..F....8E7R.D....$.....~.......8...J_._..SZ...3...M...p..=..kvuW..Y..lfJB9..Gi5.0f...r........!_j.|dl.....j.....?Iau.F0%v.....5b0g.X.......&7..$pt.[.........K.....b_..Z~V."Pf.@./?....T......~w..?..V..$.|...G.{.M.M..-s.n.%>. .x....yhm.....+.7cm[9.l.[....F...Nh ..@..Y(.........s.O.N%.......!>..s.\.g.....e.iK.PQ.DEM{....>9i-.9H..}=..7.0<i.N.=.....@.M`..\h{..juh.i......6..Z.El....p....N...,..}..ke.r.{7... T..p.. ...no....*.?'..n.q...9....Q#(......./B......, ....}..a.......>#.=&..q..=!..#....,./Dl.....t. .....]...w.1.7Dh.n#.<.<O./..9.+.B.OkR.....|..._p9........)M.=.~/.1....^..q ...i...+a...w.^...g..X.8..qT..iR.O.......C.|B.."..?.Oo)";.....xHY....d......4.[.E#..".P

        C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):30395
        Entropy (8bit):7.9657208412705325
        Encrypted:false
        SSDEEP:768:S0BLCoOrWQvO2rAY7isThanN6O4g1pBQhYtsgxyH5SII:9JCoO6Q2gA6JTiNRnyYi0yHI
        MD5:DADDF894366090009F339017B9B500B2
        SHA1:516EFB61AD886CD16A46D5B80BD2F3DE82A54F80
        SHA-256:09362B0554FE48C5BD4EC973F1A9A7010F331E7C209085831F0609FDA92F89E5
        SHA-512:DFC200F23EABB0315C7B90AAC0A9979FDFD1D513ED10C8F57D2A1E4D37B1ADAE140ED4D29F76E5F43B1E1B7F1A3DBB4DAE49E3B14E77CD0CA9534E28800846C3
        Malicious:false
        Reputation:unknown
        Preview:js......A...A...P.w`Q..|.?(...L......$lk...#.U...0...%*(...6k.y..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..Uy..c.... .*.s..UjGW..M....g.d.!..=..kx.\._A...._...O.wW@.KHu.:......W..........Fu`i.U.60.pGo..a?.$.C..'.~..R.P.n..S.hc...P.".iE.V.....~.9d.R.,.C........f......<0.j.Z.>W......^F.uV.:..m.."0..7.YY.+..Xl....1nF..:oh..K%.......Z.1/..h+c%...1....bh.jn.t ..;...o.A$.6:.R..n..y..|..k+v.Xv.kE...p.p.....'....B...n`...r.ILk.)...a.=......GoT..iy*eX..r..^}.:`.k.-y..N..rB.z...g..d.e7@.B"I.....?u7.\.T.......X"}S.Ro...3~;....Tr.].Y..F3d...'....k......Il@&.?...........z&WM.B.#..!...e*2...`:3.s..%.N.16.JT..fB.o..`...:.;......m.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):190104
        Entropy (8bit):7.99556642536641
        Encrypted:true
        SSDEEP:3072:93oaLE8pAuN+ABhzxvs0/n2ZNoDRRO1jdCjI0MXYUFCN3Lh1urNXO4pieIjb:aaLEEN+wpHOoDRR8doGXRsarNXBHq
        MD5:57DB3E2C52C36C958B08FF3EBA8AC3AD
        SHA1:10109F3DFA3BD3D25FBC147A6FAA0731A5F50AD9
        SHA-256:84D6BDEE39EAC1333320ACCEF60CC509D14961101C535863B56FF607F700381A
        SHA-512:698786E1D550920C3C51552AEB198B9EC3EE4E09D25A891D4901FD8040A859F97AB47E847E64B9AA5F391E7BFFEF2056CBC5AE430E649B5E24DF872BE9695F0C
        Malicious:true
        Reputation:unknown
        Preview:81..}...iZ.)..|.....p~..euv.f4o..~.cKt;.@....hp.T..@t"9....m....~.+u...K.+9.<....5M....zj.D/.ku.6..^8..NQ#4J.o.+>..r.%.a....d...1..3;.....3.??.i......?.iey.....t..]9...+......... .._b......Iz:..A.....i....(.Q..Ud..H.......Vr}.W....Xd.J."_...].%G...@^.....615G.Q.........6.....y.$..".'..2P.V7U.I/......!E..m.e!.....zf.U.Z.N...!K0......jh..@../!/eOhwV).1.&.Z.a.F.m..NW..31El..U..9.G/..N"....u3...[Y...bz......!.\._<...u.E.$..d.w.T....fw......7.....i.p.^yME..M.!i|..!....$.k.l*3.$.l....r&u<r9....Z'.;."..i!.^...J...#e.._.8,I.....Uu.._.%Zl.C-..{_...*.M[.).rSj..C=..\..e..d...W..n..S.o..fbyK.WzU...Qq..[.W ..N...D...@.q.b..\y..j..1....*3........}..B.....q.P.k..m...3....<......P]:..!p..P......."......?:0&.c2..,..q...... D..v.l..vb..*.q..i.R..K...ZX.NN...y..*.....2>x"...}N.......Y...[P.....uu.9*...W5.ln...P.*....D.`....W..R.m^."......./.9......1B..P~?..U..... }hP...J..k9...W.<}.........X....~..z..c].;..D~.;...^..l8.....L.(K.o..L.%...Ex5k.K.l'.&4K....~.Tt.I...J.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):96159
        Entropy (8bit):7.998071263155767
        Encrypted:true
        SSDEEP:1536:8hVj7YelQm4UMNoRQm0wp3hs91tJ2y4xFViQ8IAWqxYwyxI+FGY8Iu7fvCVxLi2g:8Xj7F4Umo50Mh61tJ2y4xcZxtiIiPu71
        MD5:D216992944090AE7C9072B976A5C8F7C
        SHA1:680807F7C0D72695403FA4F531C89339D34B2BD5
        SHA-256:2757BDF85F3E38BC0B4935EEF97D75A26098268DBCC1EF890DA7DD4F11CA8631
        SHA-512:8EC409F23A53641A36E78899E3435F733896AF7B5DB570FE8B822DBC75446E3141531365EA6699BE621D16B6A5B5B7537656154C3074B498759272F198C4C7A2
        Malicious:true
        Reputation:unknown
        Preview:...i'.k.S....2Y`Nac...y.W..3..eu....7.....l.....#..........h/...<....l.5.=F....<).[..;..Y,})".8].C9.\....\.:x..^:^$...L..Hx.G..DR.N(...=xGz...zA....nb,..@%4.m9.D..FG....4U..%X.0s_.4\&.G..E. .....1..#...5l.N`.A.. ......p.d.a.."......XY.FW...1:..W6...".d....R\%..]l.Tq..c...#+,.....6.)......5.....x?....U......Z.~...{...@.....>.8L...o..Tf.t..j.{.M....../.N..I.....G.!.F.7.{..4.S.F1..`.j.^....}5.1..P..VP.=.3..B..a.I..[0....b.`.SF5..3......x."\......xVl..h.0n.E.....^.......0.n........q.k...:.L[.{.....y.6.{....^VW.d......R.....Gr...|[.Z.....];....V.T....2.(*......x7.r=.=/..rw2.\...v..I`..n j.D.....r.......G.....~.W.p.-......X..jy.#.....~W..e.j..}.zo.n.7...Ig...w.._4..{.....1..'\s...'.....hk.\.w.....)..;.G6.>......zU..iB....yiP.y...E.]Yg.X..Fp_u.*.X....ifY.=L..'..rM.x...[B|.`..VU..=.TS9w....g..F....]..a..f..<t........e'8...?I``...n.x..h.vYe.q..[.Q.-.f.8....+.~...#h.Cz.<8.v.Q.!Y..>.k..........8...#L...8x.O.;P.e.`(N.A8...G.a.2..\.......9..4.?...D.?s...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\RedAndBlackLetter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):52931
        Entropy (8bit):7.9676024729966075
        Encrypted:false
        SSDEEP:1536:rAoqGdQKbeLe8bJoUtoD6Em8LnCLY2A1w9LyL:rAoqGmotKoD6Et2FAea
        MD5:C1A8BAD45E3DAB5FBC6D5C59BE8CC866
        SHA1:BBE6399F27330F84751B05598CFF03CCDA6C8688
        SHA-256:1F3BE8D7FA592F84A783575D35DACBDD5A81FE1B15798E4F5552E3C24620A0F8
        SHA-512:0F869FAE2B7CA4021BF69E226C28D11EB4F55CBCDD068CE369965D5CCEFBBB466850BEC6CE23337AC5715150E21A902656FA19050BBCDEEA85953E66E94C8C9A
        Malicious:false
        Reputation:unknown
        Preview:l\J.G.1.]...9O..:.Y;...0>.. ..3...L....R.....S.D..-...&....}....m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g...m.L..p.#..g......'...s^..\....I{G=h..=.+...;3m....s.8.EY.U.....e..m=..5.gx.m..o.h..Q;\..8.....D.%.w..)J.e.`..4M..m.|.N.,.Ph>...Qj!q.......{..uKv..JZ.#..*.e...+.xC......>O.|&..6.eO3..6.d....h<.=.7.?K.T..V*%6.l?IM..6c_..=./..x.5...d....q.../..n!.6C..u......K.XV.5.*....:.....W...eu..g"..;...JJ]lE...0...O..X.."\...Tv.#Y....(oS..(BOjsN.X......?...'..F..x_w.d.../.K.].yD....G.Fv.a{..F.RD....C.......gz]yjF.Y"Sp#]..n.D.]O.!q.........c..

        C:\Program Files (x86)\Microsoft Office\Templates\1033\RedAndBlackReport.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):1791918
        Entropy (8bit):7.11910790138484
        Encrypted:false
        SSDEEP:12288:XdVP9zo8jZ8N9yLiegjW18DIHN66tr3xhPZHuGOvqJqsz7xVpeQ7CO9cEV3h:XbPJpr+61DHfrHlDXvx/B7CO9cEVx
        MD5:565829465E25090C7BAA44CC146D966E
        SHA1:D8E409CB244084A09FEDD6651224B17EA18A0E38
        SHA-256:1022FF92A77C050E5A3B396E59935011E047CE6A04458781C18A32CCE4A5E152
        SHA-512:38520408A5001A19C330B82F5BB4B413BA573CA163FE0E4CA0E58FB49260AC8921CC0BC04ADDDA08A201098A224EE292F7E7B3D819A85F1E75C1C77EDDBB64DC
        Malicious:false
        Reputation:unknown
        Preview:kJ.....o..;....Y.HI\.}.Ol....z....r?x.A.o-../.0.ki5<(.."v'..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..Rz.....z~s'..J..q.J...a..q...w.,z.i..V2....-oU.w..a...u8..".(:.9..7.jU...YV..u9.#...4.t4O%8.O........ii..})&.U/...N!..T..<.a..S<.\$H.r.....M.$-.....u....1VO;....U,L.......<.RR... .|...OJ...c.........'...y .....0.h.&..[.?....k.@\N.A^..x%<...I....I.m'/5..w..'.......-!h..G..;.3cH.[..g\......[...p./.fm==c.U..=L.}.._......GPW3.j.......Xck...e.eTE!.3X.-_L..CI.gi+.....U..nr,...Z...(".i..9j0a...."LQcL..c....x.......Az...(.....R.i.u..p

        C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):43509
        Entropy (8bit):7.979886474259241
        Encrypted:false
        SSDEEP:768:loE+sZon70j+No2YDIAh93WXrYZig3N6gRNxLoOWSEZGJCIb5QJgGlj3:1+sWn70YYDIAhpWXudJfoOWSEeCIV+d
        MD5:6BD3A0B6B5225388081C183EAD07660C
        SHA1:D63E8F60DCA3BA1B3852DA50D666A93DD6D73512
        SHA-256:F9B871361AD050F1A56E6904FC679272FF4E9EEEB4487C74294358308E0AF725
        SHA-512:07C36865188CF602DEC98323D632DDD9710A8ECBE04428D9EFDD63D09DCFFDB1ACD3B554E6B258A4E64287FDEA93FCBEE4EF157BAE319E3AF12ACD0F0333D4E9
        Malicious:false
        Reputation:unknown
        Preview:z..3.D.....R....Jb.s....oWQ.lc!....'c...O.K..... .'..+y3....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+....Jx.?...Cw+..k..."+........X.....WMR.X...D4...C}M.......;..r....e...hz.L...Q.]......L....6j.."x.]..Q"...h....9.;...Xk..._..="..B.u.j.....U(.J.......Q~...(.......B.H....\g.......]pk.;.W.Ww.8........$m.Y.N..G`.1.?..%._....v.9...$p zT.S...[.{Gq.C~./.l.}....H/..O.<.C4j.S....B3...}^Jn..<..S.'......%M......i...>.d.....'w..:.K..7..}......S..6.Zt...H.........b..".....~.]v.C...ZvlW..%..Y.u.l....".V......3.Ln.1..Q...S.3.J..^..c1.........J7.d......Is.......q2_t..e.a...J4K7.o.s..;X....m..~.u*V.J........xk..9.c.....<.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\StudentReport.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):654681
        Entropy (8bit):7.999498170265737
        Encrypted:true
        SSDEEP:12288:37OeTH9ZQXRc+ubA7kA+5x8fgH55nqCh/rhRqRWAIAIpl6QrsqbfRUNY:qeRZ+1iwkFr8fabzh/VIUAlIqQrTfyY
        MD5:8247CBF7DABBD994D6A70B69DE823D00
        SHA1:7126B983461CDE61DD20E5DE6D39908164FC0739
        SHA-256:AD24BF392D75BBBB8BC2424B3E33578FE9A3D84B47DB3293B42B3A2B5E41A89D
        SHA-512:EB659F94526EE4BB2B7C0FF9C93D008F5DE0A7FACA9546D52CFA7EFD991A1013D58E0A1ECAD0C657E52F869ECB778810811ECA46BB3B14E8E368F42DEFF4834F
        Malicious:true
        Reputation:unknown
        Preview:.1..;.".....R...P...2.s5...*.... f.3}..+...ME&...._......R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.R..|-..A..c...y.#..p!.J..l.(U.B.#^i.|.o.7%....TAJ..O.*.5..w..+9\z3..d.....H.3.X;[...).......\\U..............2e..k....hs&...&V.......#.|....<x".H..9..H..........`.^...:...a.,..d.)....w.-.......z.d.'..q@>+ .......x'.kt<4..x9.<{.N4...g.O.....c... ....?Q..Ux..b7\......@.O.w....q.s(..#.fK........RB9......;..(.F.L....\-.Q.%...H.q.k..YV.T..B.Ji....N.b{..g,....C,E.7..P..H.`.`......7..)4i...|...xv.rN....7.IIK.)..vX..v.M..|...C.rZ.~....<iUa.c

        C:\Program Files (x86)\Microsoft Office\Templates\1033\TimeCard.xltx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):17927
        Entropy (8bit):7.909568514275104
        Encrypted:false
        SSDEEP:384:j1nPPY0As6vpr2VWdxgc0vAi6IKXIgQBrjtvrrSndi164:5PPYds6vpr2Vd4bYDBfSgT
        MD5:ED39CDE7F870C52CFB139B43C852C69B
        SHA1:32B34D0C0BAF2B9609C8408553A3EA9182D49261
        SHA-256:BAE301068793995EC294E4CE6B58FC3F4D4B635FAC4B9DC270FAE1A535A38D13
        SHA-512:7243BABEA1522D93889D1988F12E1D6C61E9C4245307CA0B58244A18B7BCF7757B998B5F37CEB8FB6623314235A07683D61452F954B84CE07E9F745224852AC0
        Malicious:false
        Reputation:unknown
        Preview:.........T-...-{..|$..I.Q.2...(Gb5..E.Z...w.N.S.S;.....I.....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q....'........q..#2.{D"..|....N..94.a......yxa.dR.\J..;.Z.$i'F....g..g.~7...U..R..d..../m.'.'7..[.*..p.!R..`.8?.E{.,...=.".Z|C.?.7&..'M....].I......&.G$G.....$|...E...P..CtnuR.....<=......(...&w.yl.v.^,.......#.]4ngbNXd.....e\..q.U......Q.o:.@<.d.~....`...v.......TEt.UK...o.f..6..;.N.vb.8.bl..t\?..o.S;z.x1DEmK2....:.-LZL..mZ....-.P....\.....t..Q"..{....6...D.u.....EJr..\>...2..Tm..f.)...,..M.ADh...6..UW...=W..q.d.X..j.b..WT{X.7.no..jL....8'....5..Z..I....D.M,.W.GZ.4@.P.#.....R...'...

        C:\Program Files (x86)\Microsoft Office\Templates\1033\TimelessLetter.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):53280
        Entropy (8bit):7.970312107786903
        Encrypted:false
        SSDEEP:1536:1U1U/TvYPeqpXD04GF9zza7VKJAWi1dgYT1lvZ:1+cTQPe14sO5XbT13
        MD5:86FF89F32061D780210D58A251C86443
        SHA1:E2D4D5C1A466A9E0BFCA7FAD3A5404B895B8BD33
        SHA-256:9DD4FB5563274AB63C9A4821CD316550A97CD6B657D6431D7BF915269D1BA3A6
        SHA-512:75C173603423FAADEDDE74C23B453B27013A4B4BADA9BA329ECADB0432E5221B20A2097E3B823D7145BF38E3CBF88D99AE205CFC6842113EBECC97A7365CFC5E
        Malicious:false
        Reputation:unknown
        Preview:"0.C.v..4..%9T.PF.v.Jo@._...?...G\[,..@j$..B....qC..a.=...x.!/P na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a. na.D..5-W.&a.....Fi=...{{.0E.....S.DsG^!T.!.....k&.....L. 8.Slo.6.i.}..K .FC"Q.w.u......Cf..(...C...O..<.@%.....Ab.<E.7k..!..&..1.......=..}.J........3..XRi.c...w..mV....8.X..,.N.(..!..$...y._1[.Y*7(Q.......9.......d.`l.R\i.wU3.>.4i.S.......(5.N*......O.1g$.z@(.....P.6...Fr.T......|E...b.....V.b.....!..9..C......$2...u0.:.Ed.|..D.....D..(....?....D=........z}.e..[8.c..Z..32I...J.%.H....K..CW.2.5 .0..)L..i.|.g. 2...p....7..E.

        C:\Program Files (x86)\Microsoft Office\Templates\1033\TimelessReport.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):276571
        Entropy (8bit):7.997830022273562
        Encrypted:true
        SSDEEP:6144:V0dxX7TAimkIBScbw+itkn1/ZA+jMfpAUHnKY1AW9s+:kX7T2lu+iGjSk+
        MD5:CFA5BCCD3AAD3FB7F0A1ACB10956E69C
        SHA1:5A583A2E9629AF8DEBEBCC9163BF191F70012F36
        SHA-256:E4E1897B688986B135E5615756614B41D48335EB6D70A5F2DD468B8738CB6D67
        SHA-512:504D772EE16EDCFA144E1E444737E7A7247B704E80EAEACE8C69F50B69DC3167216C587D82EE32A0363DB7542057F451BB01ADCBF631D179D3288BD89CA553C4
        Malicious:true
        Reputation:unknown
        Preview:....TU0.<T.....x...M..w3.....$)CU.y....Q...R...'..8..@M..GS_CK..'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/'.YM..... .b.._/...}..(.m....(...l.e%W"...o...-.K......@.."~...3M...T5..Av. ..b.[..^..U...............HBq.[...o}E.&.....h..*....P.>.....6.o.....4Z......(......{,^.yh."..J.d.x..RwN}v...]F...&.....G>.8.....|...E...rh.P.A...j..F..b...+....}*5.....S..E.R.4#.......>...M....'.u._R.f"b.........=RwV..:Kc%n...i...V.l...B...........E.P.L).O.h.u..h.1...B.S..:.=....~&-v.W.....`/...c.=?$!.3O..-..M .X.\...v...zz..Wv..tr-...*R.....b.(...}tL

        C:\Program Files (x86)\Microsoft Office\Templates\1033\TimelessResume.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):49018
        Entropy (8bit):7.9596318899966425
        Encrypted:false
        SSDEEP:768:inTKsUgouToDSTp//FiKj+C5oSvC8vqZbj7NPAwHbp:y5HVd38lSvHvUbnZXbp
        MD5:60DBF1043BA896DC9411A0D07BC13CCF
        SHA1:F12AD1D85FBF8015DE5296C24ABFB75D88B1348F
        SHA-256:CE5222D8385E9DFF496287005F4FFC13369A213D50DCFDCEDEE3362314A8B420
        SHA-512:1ACE6761D14C930D9D8BA27025DF39E35D38DE8054004BA2469F6F02888957AC19E289744A74798338E2B45DCCD572425E29523581866D9F3F291658F579A1C0
        Malicious:false
        Reputation:unknown
        Preview:t....F._.'...._6}.SE....z..0..-0...y8..T..~G=....._...i/.X.].4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q4.....OFJ......q....}..>....wI.c Z#z ......E..aXB.....5>.-...4..a......i..`..1@<..{U......w....g..:../..W..N...!...x....^.......(94vl...D..v_.@.cB...N....3..."..f.9v.Q....].v.x4S.,.s.p....%:.,-XL;.R.8n..K.|[.*..)..vd.........h...u.u...;........UP....;.xY1.. 9..~TX..M...D.U..Ng.z....M........Go..R7...R...GB..6......C.^.UcP.8....C..c...."....+>.....$.;....V...v....f!..>+.l...J.v..0...O....U5:.n...}..4}3..".../9.92YR.......i..r.c

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):1242213
        Entropy (8bit):7.999634413712396
        Encrypted:true
        SSDEEP:24576:Rj1VuOkvj/0SdiCt+IKVwBC/ZqhfY9RRyo9gBw8b:Zavj/0Yp+i8cgRRyTKo
        MD5:56CBE54BE516C0D6B68F9AEC7C2C09DF
        SHA1:5B8DFFF7A6045D31C09BFD61825212A3F5371EF6
        SHA-256:2EE7DB154B60346A282BC2A6A99F812B655B437BE62B8F4445F76FEFF8724ED0
        SHA-512:A79A8AB03B117E74A37D881DF6560D90C73E498FC98165EADBA009A4BF067A80501D863FCC4CEAA7A85A0515339C705A4BE217177FD3B1AD99BC79299EA65916
        Malicious:true
        Reputation:unknown
        Preview:.y.'.0.a.w.-.....w_84...R/%n...'..dc..R.....u..p..GS....j..".K...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*...j...l.|TO.*.bt.l.s.....3....c..lI.e....]_\..=......44....G.:..}... ...c...O.]u;.b.....;Q.%[.P|mg..0..P...W........G...6U.s.q..{@ E4...)l.;.^>d.F'..ug.!$.|_.+...F....'.....-...)C7mF........Pm5nH...;.....n!{....a.....@!AEJ...Q.F.F.....l.=.I.! \.{..}.4....x.A...DD.\.A....[,bt..F.....7.....53.I...Mr....M~?.Ngq........p..,.c._!...._...t.......J..............^.?(!......W....g...._.B;.....*..2x.'F.....>......2.|%*.|..2.....

        C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):188476
        Entropy (8bit):7.969934223869807
        Encrypted:false
        SSDEEP:3072:AVSXBsdRdD/pIYUe/1lSzo9bFq73r/aXLhOnbI6T0AjX3jy/PG:Iq++Ne/Go9g7byXtOnU6TJL0PG
        MD5:FA20C0B99B6CC4332039D4652109B715
        SHA1:45C7CD4897E21AFF5AF1170FC38B8CA8570CB92A
        SHA-256:68DA8609BDADAEC69A50B27BA644A33290516D57C3218D4893A5FDCAE6541D88
        SHA-512:B37B9D7E61885394254926040B45E692A99E1268A380BAD13ECB8CE762E505A525E1865A92BA7D5263297CB6E36DD5D31C3F4A82873C1D0481C3E39FFC13D9A8
        Malicious:false
        Reputation:unknown
        Preview:...A.z..44..E`7\C9p.:t,...4.Bw..9.....z..w.fC[x.Q7.==E_h..K.Y.../X..\7.a....j...-.A..1........H.8:.~Lk....&.l..(,./N.......+.D~...J...:..o...L0,...$_...........N;...B^..Wy.../9k|......m.........h7.....m3}.1....1.........i....R..0Z..kR..>.R.K9MN...........~%f!{z.X.........,..*.y'..<.......H|u..B.)w.jY.>1Z8.j./.twM..H..'...w.&re.P~W-zt.".......!_._...X......5..cT.y..d8KH&|t..(.j......;...Kg..j..X....n|.v..1..".p.........!.B6.]Q..'7.~....(~..d.S5%R.I.'e$.s|fAwx.G_..}.p<%/,-a.....h.,...I.b.......@..W....1`.:...%&.:..........T....W....b....:...A.^.....<...is....j...}i..:..pC2..S.cA......t@.{.,.2.+..b.{......?#I.+...}P...>.}..J$C.O..r.d...|..~...KV.Nd9...Ta.~F.ln.....B~c....)..~...R.V...G_.I..1Zy ..2T.K..X...|n....Z.....C.....i..f}.....'............Gp...pU.[.8.z.1.......[..=+..A8....-o.e...H..}../...5e...}..... ~f8}.....j...x..o..7.MU.9.A..B......zW....F:.2...+e.G?.?F......R........?...r.z..( W}W)..:.#.E?..k{......l.... .6.NC

        C:\Program Files (x86)\Microsoft Office\Templates\1033\Word 2010 look.dotx

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):21499
        Entropy (8bit):7.932888401973733
        Encrypted:false
        SSDEEP:384:qKy6mCXq0R7T/u/Me9arRvqxGmPuUSMLAjf1GHLX6EQKZJyh9I:qKzmGv2pcFqYmPuH1GHr6HKZJwI
        MD5:0BB4CE0566279048A5103C2ECCF16738
        SHA1:5DF504056A507738A9998108ACFDC5D73C558EF9
        SHA-256:96C0712D8583C80A586EF0331672DBEBF692CAE5698E626538837F1F00FA7CE5
        SHA-512:B7536FC6DFF621DF661270A7E83F3F437CCC2B2EAD2CD176F71B118C836B202FA8FB4FB2E0EEEFCB852EC9B717FC31B670099E4AB7861EA058A00005B5EC468C
        Malicious:false
        Reputation:unknown
        Preview:.j2Q.F...N.j..$.W....;H@(..S...#_A....2H.k.4.r..k.....-L.....,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A.,....kfZ..D..A...l..%.89......U...<l.u.I..J..A.".....o.,'k .^.3.0-6h..zM..B..>.{.....[...|y......1.^mA.......-....lli...XB.U.S...QH...;..F....)F.Jg.;..}.......4..w...T..w..q[.V........"..>....w...Bh.U.....8...qI. 0u.AO9..../......T.( ..nqw.]3........r.o..._.Y..y.....xgr.w..|A.'...R...#.)z...W...c.%........1.bs6.....?>.5.Qku.b.....N.E.1|...b..F3O.bg2..Y..~.\.a.5q..u..\..p.-..d....3`r.._!C...|...Q.S..GT....ka............f

        C:\Program Files (x86)\Microsoft Office\Templates\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\HOW_CAN_I_DECRYPT_MY_FILES.txt

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):885
        Entropy (8bit):5.145451217460208
        Encrypted:false
        SSDEEP:24:wgI3Y3KjzSPIySFRQQTFRtfshbAtl1FKHs8:wgOvATQhf+ktljOl
        MD5:9516268D6B0CA9CC88F84AA841317992
        SHA1:4D7100203F3DFC1A7E8F0D25154090EC4618D423
        SHA-256:896EBA0FD45BBF05300B18060050775BA3033E0CFFE50EF79307118420A5DA6C
        SHA-512:D5579E2A726D446860C293125B5B18386EF8CBF509C94B9B8A2AE11E6247348349B6747B9080BF823A7C123378DABF14A6A5EF90D4BFD44C0ABB977A2C4F0A7D
        Malicious:false
        Reputation:unknown
        Preview:Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.....Encryption was prodused using unique public key for this computer...To decrypt files, you need to obtain private key and special tool.....To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension...Depending on your operation system version and personal settings, you can find it in:..'C:/',..'C:/ProgramData',..'C:/Documents and Settings/All Users/Application Data',..'Your Desktop'..folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~'). ....Then send it to one of following email addresses:....begins@colocasia.org..bilbo@colocasia.org..frodo@colocasia.org..trevor@thwonderfulday.com..bob@thwonderfulday.com..bil@thwonderfulday.com....Your ID: 116938#E6D33838FD3B3884E7EB26AE0631910A....Do not worry if you did not find key file, anyway contact for support...

        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\Maple.gif

        Download File
        Process:C:\Users\user\AppData\Roaming\mssecsvc.exe
        File Type:data
        Category:dropped
        Size (bytes):1730
        Entropy (8bit):7.901785967030455
        Encrypted:false
        SSDEEP:48:DIPCCqnf9BySC3AZGus7AUaFsswTI7+XDymaSNu+1:DIKnDyUE7AUassCk+XWmlN31
        MD5:C0D437C30345AED315BDF02EC8021DC3
        SHA1:4DF9F8A4B58E01B816469E88E495B839DB33CDAE
        SHA-256:82E0D9E0953524F27BF5A2A35732DE828691609F7707734DDC5613A2CBC3BE59
        SHA-512:29C333437C1CE834714444F5654A7C0CD5359DEE44057CFF0CBE1A8F1C7F54DDE2D97ED9DE75A3D7892386ACF513DBE3E1F6296F661C90A60F659109D0BD498E
        Malicious:false
        Reputation:unknown
        Preview:.S........c..].b`l...P%.\s.6vj}.P.p.+............l.rJ..h... .K...?.u*.,..05.).I...+..;z..@..z...;.G.~...PI^Y...fY._.s..5/5..y..T.6t.XG^..f....D=...`.Y-U..;\....$:...+...u..`8Xbu}6..t.Dv..Y..V...R.^.(B..<:R.e#.g..\V.R.q..[!.O.c..B...9.M.@....>.)x.c}=4.D^......F(C.&...`.......(.l...LjZ."...P...&2...L1.yn.S....*.J[]..k..w....d]X.o.e...krp...N~.....5...........U.gM.|S.V..{7...n9..c...n.@Xm*.j..EZ.o.g:x.Cz......L.IUX....@.....;Tp..H<F.D....7..L.<u....6..|...W.............5L..su.....V.."R.B.PQ>..i1..sg2.].. 1.6A.b,z...3.......2.m...F..L!...3.....GKr.W..........Nt...T^.Ct...qY...._9...`..H6..K.L..J.7w....6...(Sn.aD.N.z.0E..U]....z0.WO.. .U..5...,E.T.....R{.E./..........-...l{.\#.Z.m.7W..!.8...t...P?.....K....#.&.Y...`\.U)b7..+y8,...~BB......I..PG...]a....Du....a....6..w.)hig..l..0.W;X.d...V.p...'.v.j....e.#l....~.....+......?F..<6..f.83..YK.n....w..(.[.&h5.. .[m)..XV|..O...v"...B..#.9..._.1..x.t....z.K...v.Z..o.9..R...z.Q..._.....i...j.#....h."A..:...

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.922524821451008
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:01730499.exe
        File size:944128
        MD5:c6a2fb56239614924e2ab3341b1fbba5
        SHA1:bdd2ecf290406b8a09eb01016c7658a283c407c3
        SHA256:92ad1b7965d65bfef751cf6e4e8ad4837699165626e25131409d4134f031a497
        SHA512:cbf85b0c97038fbbe48deedc6ae8f173f8a65ce8c0da6e2f0533a9aea1f55eb8783bed6a171315bd6305d57c43887a0cd10eee379657e0c7e8e0ffb8850b4517
        SSDEEP:24576:diQZitpSzuX+gltfyZE25LQv77cMhi7eobIMUGDM5Lna:rZif7+OyZEREei7eob8mM5La
        TLSH:0E15DFC2A7836032FAFE0439852575FD9568A7EB6A0546DA339C43ED4A783C3F510E72
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.Nm.. >.. >.. >...>.. >...>.. >...>.. >.(.>.. >(.#?.. >(.$?.. >(.%?6. >...>.. >..!>.. >..)?.. >...>.. >...>.. >.."?.. >Rich..

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x40622b
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x545C82E4 [Fri Nov 7 08:29:24 2014 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:1
        File Version Major:5
        File Version Minor:1
        Subsystem Version Major:5
        Subsystem Version Minor:1
        Import Hash:d0cbfb70904a6c2c4f1d40179a3943a5
        Instruction
        call 00007F65A1174D26h
        jmp 00007F65A1174783h
        push ebp
        mov ebp, esp
        test byte ptr [ebp+08h], 00000001h
        push esi
        mov esi, ecx
        mov dword ptr [esi], 004172B4h
        je 00007F65A11748FCh
        push 0000000Ch
        push esi
        call 00007F65A117469Dh
        pop ecx
        pop ecx
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        push ebp
        mov ebp, esp
        push 00000000h
        call dword ptr [00417110h]
        push dword ptr [ebp+08h]
        call dword ptr [0041710Ch]
        push C0000409h
        call dword ptr [00417020h]
        push eax
        call dword ptr [00417114h]
        pop ebp
        ret
        push ebp
        mov ebp, esp
        sub esp, 00000324h
        push 00000017h
        call 00007F65A1183C9Bh
        test eax, eax
        je 00007F65A11748F7h
        push 00000002h
        pop ecx
        int 29h
        mov dword ptr [00421B08h], eax
        mov dword ptr [00421B04h], ecx
        mov dword ptr [00421B00h], edx
        mov dword ptr [00421AFCh], ebx
        mov dword ptr [00421AF8h], esi
        mov dword ptr [00421AF4h], edi
        mov word ptr [00421B20h], ss
        mov word ptr [00421B14h], cs
        mov word ptr [00421AF0h], ds
        mov word ptr [00421AECh], es
        mov word ptr [00421AE8h], fs
        mov word ptr [00421AE4h], gs
        pushfd
        pop dword ptr [00421B18h]
        mov eax, dword ptr [ebp+00h]
        mov dword ptr [00001B0Ch], eax
        Programming Language:
        • [IMP] VS2008 SP1 build 30729
        • [RES] VS2015 UPD3 build 24213
        • [LNK] VS2015 UPD3.1 build 24215
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1f6d40x78.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000xc5958.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x151c.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x1e5100x38.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1e5480x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x170000x1f4.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x152680x15400False0.5764476102941176data6.633428558651124IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x170000x916a0x9200False0.5217251712328768data5.809609557723338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x210000x15480xc00False0.1826171875data2.427997988755804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .gfids0x230000x11c0x200False0.3671875data2.061872850815981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x240000xc59580xc5a00False0.930816631087919data7.990920930212092IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0xea0000x151c0x1600False0.7958096590909091data6.523488547979921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountry
        PIC0x241400x20800dataRussianRussia
        PIC0x449400x41600dataRussianRussia
        PIC0x85f400x10c00dataRussianRussia
        PIC0x96b400x52c98dataRussianRussia
        RT_MANIFEST0xe97d80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
        DLLImport
        KERNEL32.dllVirtualFree, GetCurrentProcess, WriteFile, VirtualAlloc, InterlockedDecrement, CreateNamedPipeW, WaitForMultipleObjects, LeaveCriticalSection, InitializeCriticalSection, GetEnvironmentVariableW, WaitForSingleObject, CreateFileW, GetFileAttributesW, GetModuleHandleA, CreateToolhelp32Snapshot, CreateEventW, Sleep, GetLastError, Process32NextW, SetEvent, TerminateThread, LoadLibraryA, EnterCriticalSection, DeleteFileW, Process32FirstW, CloseHandle, CreateThread, LoadResource, FindResourceW, GetOverlappedResult, GetProcAddress, VirtualAllocEx, DeleteCriticalSection, CreateProcessW, GetModuleHandleW, FreeLibrary, CopyFileW, CreateRemoteThread, InterlockedIncrement, GetTickCount, VirtualQuery, ConnectNamedPipe, ReadConsoleW, SetEndOfFile, VirtualProtect, WriteProcessMemory, GetFileSizeEx, CancelIo, SizeofResource, LockResource, ReadFile, HeapReAlloc, HeapSize, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetProcessHeap, GetStringTypeW, GetFileType, SetStdHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, EncodePointer, RaiseException, SetLastError, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, GetStdHandle, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, GetConsoleCP, GetConsoleMode, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, DecodePointer
        USER32.dllwsprintfW
        ADVAPI32.dllAdjustTokenPrivileges, LookupPrivilegeNameW, OpenProcessToken, GetTokenInformation
        IPHLPAPI.DLLGetAdaptersInfo
        WS2_32.dllclosesocket, select, WSAStartup, __WSAFDIsSet, connect, htonl, htons, ioctlsocket, WSACleanup, socket

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        RussianRussia
        EnglishUnited States

        Network Behavior

        TimestampSource PortDest PortSource IPDest IP
        Jun 9, 2023 08:51:29.073568106 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.073642015 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.073765993 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.076208115 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.076248884 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.184969902 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.185085058 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.353204966 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.353255987 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.353756905 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.356044054 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.356086016 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.356132984 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.625920057 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.625977039 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.626024008 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.626070023 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.626106977 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.626127958 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.626136065 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.626183987 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.626955986 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.626976013 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.626993895 CEST49695443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.627002954 CEST4434969540.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.706057072 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.706125975 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.706214905 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.707129002 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.707170010 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.798566103 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.822355032 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.822432041 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.823152065 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.823191881 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.823241949 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.823267937 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.992800951 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.992845058 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.992916107 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.992943048 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.992975950 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.992999077 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:29.993004084 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:29.993048906 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.002165079 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.002166033 CEST49697443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.002226114 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.002248049 CEST4434969740.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.204976082 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.205049038 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.205199957 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.219309092 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.219352961 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.314604998 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.325500965 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.325536966 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.326210976 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.326226950 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.326258898 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.326270103 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.480232954 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.480472088 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.480566978 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.480602980 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.480638027 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.480659962 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.480720043 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.480777025 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.494915962 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.494971991 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.494997025 CEST49698443192.168.2.540.126.32.69
        Jun 9, 2023 08:51:30.495006084 CEST4434969840.126.32.69192.168.2.5
        Jun 9, 2023 08:51:30.708029985 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:30.708086014 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:30.708164930 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:30.715950012 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:30.716006994 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:31.333029032 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:31.333148003 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:31.699333906 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:31.699377060 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:31.699991941 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:31.700032949 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:31.700053930 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:31.744285107 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:32.371192932 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:32.371315002 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:32.371468067 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:32.371545076 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:32.371596098 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:32.371670008 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:32.371694088 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:32.371745110 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:32.371752024 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:32.371800900 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:32.377182007 CEST49699443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:32.377234936 CEST443496992.20.178.115192.168.2.5
        Jun 9, 2023 08:51:33.993370056 CEST49700443192.168.2.52.20.178.115
        Jun 9, 2023 08:51:33.993443966 CEST443497002.20.178.115192.168.2.5
        TimestampSource PortDest PortSource IPDest IP
        Jun 9, 2023 08:51:21.564712048 CEST138138192.168.2.5192.168.2.255

        HTTP Request Dependency Graph

        • login.live.com
        • www.bing.com
        • https:

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:08:51:09
        Start date:09/06/2023
        Path:C:\Users\user\Desktop\01730499.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\Desktop\01730499.exe
        Imagebase:0x1310000
        File size:944128 bytes
        MD5 hash:C6A2FB56239614924E2AB3341B1FBBA5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        File Activities


        General

        Target ID:1
        Start time:08:51:10
        Start date:09/06/2023
        Path:C:\Users\user\AppData\Roaming\mssecsvc.exe
        Wow64 process (32bit):true
        Commandline:C:\Users\user\AppData\Roaming\mssecsvc.exe
        Imagebase:0xd70000
        File size:68608 bytes
        MD5 hash:A0A7022CAA8BD8761D6722FE3172C0AF
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Antivirus matches:
        • Detection: 95%, ReversingLabs
        Reputation:low
        Show Windows behavior

        File Activities


        General

        Target ID:2
        Start time:08:51:14
        Start date:09/06/2023
        Path:C:\Users\user\AppData\Roaming\003cea9a.exe
        Wow64 process (32bit):false
        Commandline:C:\Users\user\AppData\Roaming\003cea9a.exe
        Imagebase:0x7ff6214c0000
        File size:267776 bytes
        MD5 hash:A49C9B9DA9D7F686AB7D8A696DDAE3F0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: mimikatz, Description: mimikatz, Source: 00000002.00000002.403408739.0000000180022000.00000004.00001000.00020000.00000000.sdmp, Author: Benjamin DELPY (gentilkiwi)
        • Rule: mimikatz, Description: mimikatz, Source: 00000002.00000002.403478675.00000226A3A5E000.00000004.00000020.00020000.00000000.sdmp, Author: Benjamin DELPY (gentilkiwi)
        • Rule: JoeSecurity_Mimikatz_2, Description: Yara detected Mimikatz, Source: 00000002.00000002.403478675.00000226A3A5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
        • Rule: LimaCharlie, Description: unknown, Source: C:\Users\user\AppData\Roaming\003cea9a.exe, Author: Novetta Threat Research & Interdiction Group - trig@novetta.com
        Antivirus matches:
        • Detection: 100%, Avira
        • Detection: 100%, Joe Sandbox ML
        • Detection: 75%, ReversingLabs
        • Detection: 78%, Virustotal, Browse
        Reputation:low

        General

        Target ID:3
        Start time:08:51:15
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\notepad.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\notepad.exe
        Imagebase:0x1380000
        File size:236032 bytes
        MD5 hash:D693F13FE3AA2010B854C4C60671B8E2
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Show Windows behavior

        File Activities


        General

        Target ID:6
        Start time:08:51:19
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\72A3.tmp.bat" "
        Imagebase:0x11d0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Show Windows behavior

        File Activities


        General

        Target ID:7
        Start time:08:51:20
        Start date:09/06/2023
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7fcd70000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Target ID:8
        Start time:08:51:20
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\timeout.exe
        Wow64 process (32bit):true
        Commandline:timeout /T 10
        Imagebase:0x1270000
        File size:26112 bytes
        MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:10
        Start time:08:51:30
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c bcdedit
        Imagebase:0x11d0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:11
        Start time:08:51:30
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c wevtutil.exe el
        Imagebase:0x11d0000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:12
        Start time:08:51:30
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe el
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:13
        Start time:08:51:32
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "AMSI/Operational"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:14
        Start time:08:51:32
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "AirSpaceChannel"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:15
        Start time:08:51:33
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Analytic"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:16
        Start time:08:51:33
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Application"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:17
        Start time:08:51:34
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "DebugChannel"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:18
        Start time:08:51:34
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "DirectShowFilterGraph"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:19
        Start time:08:51:35
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "DirectShowPluginControl"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:21
        Start time:08:51:36
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Els_Hyphenation/Analytic"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:22
        Start time:08:51:37
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "EndpointMapper"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:23
        Start time:08:51:37
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "FirstUXPerf-Analytic"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:24
        Start time:08:51:37
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "ForwardedEvents"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:25
        Start time:08:51:38
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "General Logging"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        General

        Target ID:26
        Start time:08:51:38
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "HardwareEvents"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:27
        Start time:08:51:38
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "IHM_DebugChannel"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:28
        Start time:08:51:39
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:29
        Start time:08:51:39
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:30
        Start time:08:51:39
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:31
        Start time:08:51:39
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:32
        Start time:08:51:40
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:33
        Start time:08:51:40
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:34
        Start time:08:51:41
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Internet Explorer"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:35
        Start time:08:51:41
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "Key Management Service"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:36
        Start time:08:51:42
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:37
        Start time:08:51:43
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MedaFoundationVideoProc"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:38
        Start time:08:51:44
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MedaFoundationVideoProcD3D"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:39
        Start time:08:51:47
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MediaFoundationAsyncWrapper"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:40
        Start time:08:51:47
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MediaFoundationContentProtection"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:41
        Start time:08:51:48
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MediaFoundationDS"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:42
        Start time:08:51:49
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MediaFoundationDeviceProxy"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:43
        Start time:08:51:51
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MediaFoundationMediaEngine"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Target ID:44
        Start time:08:51:53
        Start date:09/06/2023
        Path:C:\Windows\SysWOW64\wevtutil.exe
        Wow64 process (32bit):true
        Commandline:wevtutil.exe cl "MediaFoundationPerformance"
        Imagebase:0x950000
        File size:167936 bytes
        MD5 hash:27C3944EC1E3CAD62641ECBCEB107EE9
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        Disassembly

        No disassembly