phorphiex | 9a29568fb06b15f7a2f3f89474c27141965b0cf824c4cfbd9e2a97585fd1de1e

Analysis

max time kernel
80s
max time network
121s
platform
windows10_x64
resource
win10v20201028
submitted
03-11-2020 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo-125-137.jpg.scr

Score

10^/10

phorphiex evasion loader persistence ransomware trojan worm

Malware Config

Extracted

Path

C:\7129197363678\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?XPQSTVXY 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://25xb3kc6azicbbuo.onion/?XPQSTVXY

http://helpqvrg3cc5mvb3.onion/

Signatures

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 3 IoCs

pid	Process
3920	16667.exe
2148	winsvcs.exe
3828	1137032943.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\7129197363678\\winsvcs.exe"	16667.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\7129197363678\\winsvcs.exe"	16667.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1137032943.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	1137032943.exe
File opened (read-only)	\??\L:	1137032943.exe
File opened (read-only)	\??\Z:	1137032943.exe
File opened (read-only)	\??\Y:	1137032943.exe
File opened (read-only)	\??\U:	1137032943.exe
File opened (read-only)	\??\S:	1137032943.exe
File opened (read-only)	\??\P:	1137032943.exe
File opened (read-only)	\??\V:	1137032943.exe
File opened (read-only)	\??\B:	1137032943.exe
File opened (read-only)	\??\N:	1137032943.exe
File opened (read-only)	\??\M:	1137032943.exe
File opened (read-only)	\??\W:	1137032943.exe
File opened (read-only)	\??\E:	1137032943.exe
File opened (read-only)	\??\O:	1137032943.exe
File opened (read-only)	\??\A:	1137032943.exe
File opened (read-only)	\??\G:	1137032943.exe
File opened (read-only)	\??\K:	1137032943.exe
File opened (read-only)	\??\X:	1137032943.exe
File opened (read-only)	\??\Q:	1137032943.exe
File opened (read-only)	\??\R:	1137032943.exe
File opened (read-only)	\??\T:	1137032943.exe
File opened (read-only)	\??\I:	1137032943.exe
File opened (read-only)	\??\H:	1137032943.exe
File opened (read-only)	\??\J:	1137032943.exe

Drops file in Program Files directory 554 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\win_x64\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1137032943.exe
File created	C:\Program Files\Common Files\System\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	1137032943.exe
File created	C:\Program Files\Internet Explorer\images\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\AssertMove.aifc	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IPSEventLogMsg.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	1137032943.exe
File created	C:\Program Files\7-Zip\Lang\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Extensions\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	1137032943.exe
File created	C:\Program Files\7-Zip\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Ole DB\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll	1137032943.exe
File created	C:\Program Files\Common Files\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\DirectDB.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado60.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado15.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1137032943.exe
File created	C:\Program Files\Google\Chrome\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll	1137032943.exe
File created	C:\Program Files\Internet Explorer\en-US\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Internet Explorer\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadrh15.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	1137032943.exe
File created	C:\Program Files\Common Files\System\msadc\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	1137032943.exe
File created	C:\Program Files\Google\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	1137032943.exe
File created	C:\Program Files\Common Files\DESIGNER\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\System\ado\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll	1137032943.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\MEIPreload\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\swiftshader\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	1137032943.exe
File opened for modification	C:\Program Files\ClearProtect.asp	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	1137032943.exe
File created	C:\Program Files\Common Files\System\ado\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	1137032943.exe
File opened for modification	C:\Program Files\AddRemove.dxf	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	1137032943.exe
File created	C:\Program Files\Common Files\Services\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui	1137032943.exe

Suspicious behavior: EnumeratesProcesses 710 IoCs

pid	Process
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	78
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	78
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	78
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	81
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	81
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	81
PID 3920 wrote to memory of 2148	3920	16667.exe	82
PID 3920 wrote to memory of 2148	3920	16667.exe	82
PID 3920 wrote to memory of 2148	3920	16667.exe	82
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	83
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	83
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	83

C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr
"C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\39383.jpg
  2⤵
  PID:3584
- C:\Users\Admin\AppData\Local\Temp\16667.exe
  C:\Users\Admin\AppData\Local\Temp\16667.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\7129197363678\winsvcs.exe
    C:\7129197363678\winsvcs.exe
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\1137032943.exe
      C:\Users\Admin\AppData\Local\Temp\1137032943.exe
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Enumerates connected drives
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3828-13-0x0000000005390000-0x0000000005461000-memory.dmp

Filesize
836KB

Download