e192995a...64da

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
4/5	OS	Modifies Windows automatic backups	-
Deletes Windows volume shadow copies. ... VTI Actions Go to Process
3/5	Process	Creates an unusally large number of processes	-
Above average number of processes were monitored. ... VTI Actions Go to Function Call
2/5	File System	Associated with suspicious files	-
File "c:\users\ciihmnxmn6ps\desktop\scvhost.exe" is a known suspicious file. ... VTI Actions Go to File Details
1/5	Persistence	Installs system startup script or application	-
Adds "C:\Users\CIiHmnxMn6Ps\Desktop\scvhost.exe supermetroidrules" to Windows startup via registry. ... VTI Actions Go to Function Call
1/5	Process	Creates process with hidden window	-
The process "C:\Windows\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to Function Call
1/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Function Call
1/5	File System	Modifies application directory	-
Modifies "c:\program files\common files\designer\msaddndr.olb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\clicktorun\c2rheartbeatconfig.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\clicktorun\clientcapabilities.json.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\clicktorun\i640.hash.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\clicktorun\i641033.hash.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\clicktorun\officeupdateschedule.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\clicktorun\servicewatcherschedule.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\alphabet.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\content.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\flickanimation.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hwrcommonlm.dat.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hwrenclm.dat.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hwrlatinlm.dat.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hwrusalm.dat.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hwrusash.dat.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsar.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipscat.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipschs.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipscht.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipscsy.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsdan.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsdeu.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsel.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsen.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsesp.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsfin.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsfra.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipshe.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipshi.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipshrv.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsid.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsita.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsjpn.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipskor.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsnld.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsnor.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsplk.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsptb.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsptg.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsrom.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipsrus.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipssrb.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipssrl.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipssve.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ipstr.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ar-sa\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\cs-cz\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\da-dk\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\de-de\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\el-gr\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-gb\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-correct.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-delete.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-join.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-split.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\correct.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\delete.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\flicklearningwizard.exe.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\inkobj.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\inputpersonalization.exe.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\ipseventlogmsg.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\ipsmigrationplugin.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\join.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\micaut.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\mip.exe.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\mshwlatin.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\rtscom.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\shapecollector.exe.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\split.avi.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\tabskb.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\tabtip.exe.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\tipres.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\en-us\tiptsf.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\es-es\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\es-mx\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\et-ee\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fi-fi\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fr-ca\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fr-fr\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\insert.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\basealtgr_rtl.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\he-il\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hr-hr\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\hu-hu\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\it-it\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ja-jp\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ko-kr\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\languagemodel\chstic.dgml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\lt-lt\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\lv-lv\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\nb-no\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\nl-nl\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\pl-pl\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\pt-br\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\pt-pt\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ro-ro\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\ru-ru\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\sk-sk\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\sl-si\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\sr-latn-rs\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\sv-se\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\th-th\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\tr-tr\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\uk-ua\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\zh-cn\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\zh-hk\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\ink\zh-tw\tipresx.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\msinfo\en-us\msinfo32.exe.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\office16\office setup controller\pkeyconfig-office.xrm-ms.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\bears.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\bears.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\blue_gradient.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\cave_drawings.gif.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\connectivity.gif.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\dotted_lines.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\garden.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\garden.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\genko_1.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\genko_2.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\graph.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\green bubbles.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\greenbubbles.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\grid_(cm).wmf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\grid_(inch).wmf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\hand prints.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\handprints.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\memo.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\monet.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\month_calendar.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\music.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\notebook.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\orange circles.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\orangecircles.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\peacock.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\peacock.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\pine_lumber.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\pretty_peacock.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\psychedelic.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\roses.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\roses.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\sand_paper.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\seyes.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\shades of blue.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\shadesofblue.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\shorthand.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\small_news.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\soft blue.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\softblue.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\stars.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\stars.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\stucco.gif.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\tanspecks.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\tiki.gif.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\to_do_list.emf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\white_chocolate.jpg.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\stationery\wrinkled_paper.gif.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\vsto\vstoee100.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\microsoft shared\vsto\vstoee90.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\services\verisign.bmp.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\adojavas.inc.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\adovbs.inc.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado20.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado21.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado25.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado26.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado27.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado28.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msado60.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msadomd28.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msador28.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\msadox28.tlb.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ado\en-us\msader15.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\en-us\wab32res.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\adcjavas.inc.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\adcvbs.inc.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\en-us\msadcer.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\en-us\msadcor.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\en-us\msaddsr.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\en-us\msdaprsr.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\msadc\en-us\msdaremr.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\oledbjvs.inc.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\oledbvbs.inc.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\sqloledb.rll.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\sqlxmlx.rll.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\en-us\msdasqlr.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\en-us\oledb32r.dll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\en-us\sqloledb.rll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\common files\system\ole db\en-us\sqlxmlx.rll.mui.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\appxmanifest.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\filesystemmetadata.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\office16\ospp.htm.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\office16\ospp.vbs.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\office16\slerror.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\hm00172_.wmf.nmcrypt". ... VTI Actions Go to Function Call
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\hm00426_.wmf.nmcrypt". ... VTI Actions Go to Function Call
1/5	File System	Modifies operating system directory	-
Creates file "C:\Windows\System32\spp\store\2.0\data.dat" in the OS directory. ... VTI Actions Go to Function Call

4/5

OS

Modifies Windows automatic backups

-

Deletes Windows volume shadow copies.
...
- VTI Actions
- Go to Process

2/5

File System

Associated with suspicious files

-

File "c:\users\ciihmnxmn6ps\desktop\scvhost.exe" is a known suspicious file.
...
- VTI Actions
- Go to File Details

1/5

Process

Creates process with hidden window

-

The process "C:\Windows\system32\cmd.exe" starts with hidden window.
...
- VTI Actions
- Go to Function Call

1/5

File System

Modifies application directory

-

Modifies "c:\program files\common files\designer\msaddndr.olb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\clicktorun\c2rheartbeatconfig.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\clicktorun\clientcapabilities.json.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\clicktorun\i640.hash.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\clicktorun\i641033.hash.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\clicktorun\officeupdateschedule.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\clicktorun\servicewatcherschedule.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\alphabet.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\content.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\flickanimation.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hwrcommonlm.dat.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hwrenclm.dat.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hwrlatinlm.dat.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hwrusalm.dat.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hwrusash.dat.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsar.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipscat.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipschs.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipscht.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipscsy.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsdan.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsdeu.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsel.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsen.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsesp.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsfin.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsfra.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipshe.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipshi.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipshrv.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsid.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsita.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsjpn.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipskor.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsnld.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsnor.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsplk.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsptb.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsptg.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsrom.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipsrus.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipssrb.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipssrl.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipssve.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ipstr.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ar-sa\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\cs-cz\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\da-dk\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\de-de\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\el-gr\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-gb\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-correct.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-delete.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-join.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-split.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\correct.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\delete.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\flicklearningwizard.exe.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\inkobj.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\inputpersonalization.exe.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\ipseventlogmsg.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\ipsmigrationplugin.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\join.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\micaut.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\mip.exe.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\mshwlatin.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\rtscom.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\shapecollector.exe.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\split.avi.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\tabskb.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\tabtip.exe.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\tipres.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\en-us\tiptsf.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\es-es\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\es-mx\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\et-ee\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fi-fi\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fr-ca\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fr-fr\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\insert.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\basealtgr_rtl.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\he-il\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hr-hr\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\hu-hu\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\it-it\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ja-jp\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ko-kr\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\languagemodel\chstic.dgml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\lt-lt\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\lv-lv\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\nb-no\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\nl-nl\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\pl-pl\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\pt-br\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\pt-pt\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ro-ro\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\ru-ru\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\sk-sk\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\sl-si\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\sr-latn-cs\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\sr-latn-rs\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\sv-se\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\th-th\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\tr-tr\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\uk-ua\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\zh-cn\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\zh-hk\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\ink\zh-tw\tipresx.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\msinfo\en-us\msinfo32.exe.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\office16\office setup controller\pkeyconfig-office.xrm-ms.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\bears.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\bears.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\blue_gradient.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\cave_drawings.gif.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\connectivity.gif.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\dotted_lines.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\garden.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\garden.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\genko_1.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\genko_2.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\graph.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\green bubbles.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\greenbubbles.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\grid_(cm).wmf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\grid_(inch).wmf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\hand prints.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\handprints.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\memo.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\monet.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\month_calendar.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\music.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\notebook.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\orange circles.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\orangecircles.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\peacock.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\peacock.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\pine_lumber.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\pretty_peacock.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\psychedelic.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\roses.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\roses.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\sand_paper.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\seyes.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\shades of blue.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\shadesofblue.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\shorthand.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\small_news.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\soft blue.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\softblue.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\stars.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\stars.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\stucco.gif.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\tanspecks.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\tiki.gif.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\to_do_list.emf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\white_chocolate.jpg.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\stationery\wrinkled_paper.gif.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\vsto\vstoee100.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\microsoft shared\vsto\vstoee90.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\services\verisign.bmp.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\adojavas.inc.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\adovbs.inc.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado20.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado21.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado25.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado26.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado27.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado28.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msado60.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msadomd28.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msador28.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\msadox28.tlb.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ado\en-us\msader15.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\en-us\wab32res.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\adcjavas.inc.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\adcvbs.inc.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\en-us\msadcer.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\en-us\msadcor.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\en-us\msaddsr.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\en-us\msdaprsr.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\msadc\en-us\msdaremr.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\oledbjvs.inc.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\oledbvbs.inc.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\sqloledb.rll.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\sqlxmlx.rll.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\en-us\msdasqlr.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\en-us\oledb32r.dll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\en-us\sqloledb.rll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\common files\system\ole db\en-us\sqlxmlx.rll.mui.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\appxmanifest.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\filesystemmetadata.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\office16\ospp.htm.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\office16\ospp.vbs.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\office16\slerror.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\root\clipart\pub60cor\hm00172_.wmf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Modifies "c:\program files\microsoft office\root\clipart\pub60cor\hm00426_.wmf.nmcrypt".
...
- VTI Actions
- Go to Function Call

Before

After