phorphiex | 9a29568fb06b15f7a2f3f89474c27141965b0cf824c4cfbd9e2a97585fd1de1e

Analysis

max time kernel
80s
max time network
121s
platform
windows10_x64
resource
win10v20201028
submitted
03-11-2020 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Photo-125-137.jpg.scr

Score

10^/10

phorphiex evasion loader persistence ransomware trojan worm

Malware Config

Extracted

Path

C:\7129197363678\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?XPQSTVXY 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/

URLs

http://25xb3kc6azicbbuo.onion/?XPQSTVXY

http://helpqvrg3cc5mvb3.onion/

Signatures

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 3 IoCs

Processes:

16667.exewinsvcs.exe1137032943.exe

pid	Process
3920	16667.exe
2148	winsvcs.exe
3828	1137032943.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

winsvcs.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

16667.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\7129197363678\\winsvcs.exe"	16667.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\7129197363678\\winsvcs.exe"	16667.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

1137032943.exe

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1137032943.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1137032943.exe

description	ioc	Process
File opened (read-only)	\??\F:	1137032943.exe
File opened (read-only)	\??\L:	1137032943.exe
File opened (read-only)	\??\Z:	1137032943.exe
File opened (read-only)	\??\Y:	1137032943.exe
File opened (read-only)	\??\U:	1137032943.exe
File opened (read-only)	\??\S:	1137032943.exe
File opened (read-only)	\??\P:	1137032943.exe
File opened (read-only)	\??\V:	1137032943.exe
File opened (read-only)	\??\B:	1137032943.exe
File opened (read-only)	\??\N:	1137032943.exe
File opened (read-only)	\??\M:	1137032943.exe
File opened (read-only)	\??\W:	1137032943.exe
File opened (read-only)	\??\E:	1137032943.exe
File opened (read-only)	\??\O:	1137032943.exe
File opened (read-only)	\??\A:	1137032943.exe
File opened (read-only)	\??\G:	1137032943.exe
File opened (read-only)	\??\K:	1137032943.exe
File opened (read-only)	\??\X:	1137032943.exe
File opened (read-only)	\??\Q:	1137032943.exe
File opened (read-only)	\??\R:	1137032943.exe
File opened (read-only)	\??\T:	1137032943.exe
File opened (read-only)	\??\I:	1137032943.exe
File opened (read-only)	\??\H:	1137032943.exe
File opened (read-only)	\??\J:	1137032943.exe

Drops file in Program Files directory 554 IoCs

Processes:

1137032943.exe

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\win_x64\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1137032943.exe
File created	C:\Program Files\Common Files\System\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.jpg	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll	1137032943.exe
File created	C:\Program Files\Internet Explorer\images\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\AssertMove.aifc	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Hand Prints.htm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IPSEventLogMsg.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	1137032943.exe
File created	C:\Program Files\7-Zip\Lang\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Extensions\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\SetupMetrics\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\GreenBubbles.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\_platform_specific\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc	1137032943.exe
File created	C:\Program Files\7-Zip\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Ole DB\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll	1137032943.exe
File created	C:\Program Files\Common Files\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\DirectDB.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado60.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado15.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\join.avi	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\HandPrints.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Stars.htm	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1137032943.exe
File created	C:\Program Files\Google\Chrome\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll	1137032943.exe
File created	C:\Program Files\Internet Explorer\en-US\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Internet Explorer\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Garden.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusalm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadrh15.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.htm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	1137032943.exe
File created	C:\Program Files\Common Files\System\msadc\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	1137032943.exe
File created	C:\Program Files\Google\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Peacock.jpg	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	1137032943.exe
File created	C:\Program Files\Common Files\DESIGNER\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\split.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\System\ado\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	1137032943.exe
File created	C:\Program Files\Common Files\System\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll	1137032943.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\MEIPreload\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\swiftshader\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\WidevineCdm\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll	1137032943.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	1137032943.exe
File opened for modification	C:\Program Files\ClearProtect.asp	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IpsMigrationPlugin.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\SoftBlue.jpg	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	1137032943.exe
File created	C:\Program Files\Common Files\System\ado\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\IPSEventLogMsg.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadce.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Shades of Blue.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\FlickLearningWizard.exe.mui	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\Read_Me.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Roses.htm	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	1137032943.exe
File opened for modification	C:\Program Files\AddRemove.dxf	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml	1137032943.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	1137032943.exe
File created	C:\Program Files\Common Files\Services\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	1137032943.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\Read_Me.txt	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll	1137032943.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	1137032943.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui	1137032943.exe

Suspicious behavior: EnumeratesProcesses 710 IoCs

Processes:

1137032943.exe

pid	Process
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe
3828	1137032943.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Photo-125-137.jpg.scr16667.exewinsvcs.exe

description	pid	Process	procid_target
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	78
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	78
PID 3968 wrote to memory of 3584	3968	Photo-125-137.jpg.scr	78
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	81
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	81
PID 3968 wrote to memory of 3920	3968	Photo-125-137.jpg.scr	81
PID 3920 wrote to memory of 2148	3920	16667.exe	82
PID 3920 wrote to memory of 2148	3920	16667.exe	82
PID 3920 wrote to memory of 2148	3920	16667.exe	82
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	83
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	83
PID 2148 wrote to memory of 3828	2148	winsvcs.exe	83

C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr
"C:\Users\Admin\AppData\Local\Temp\Photo-125-137.jpg.scr" /S
1⤵
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Temp\39383.jpg
  2⤵
  PID:3584
- C:\Users\Admin\AppData\Local\Temp\16667.exe
  C:\Users\Admin\AppData\Local\Temp\16667.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\7129197363678\winsvcs.exe
    C:\7129197363678\winsvcs.exe
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\1137032943.exe
      C:\Users\Admin\AppData\Local\Temp\1137032943.exe
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Enumerates connected drives
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7129197363678\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\7129197363678\winsvcs.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1137032943.exe

MD5
7d52884b375ce8b6182f1c53f0f1c496

SHA1
6b70e90b0dada8d93c61caa678e76ce2abcbc76b

SHA256
9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

SHA512
24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

Download Submit
C:\Users\Admin\AppData\Local\Temp\1137032943.exe

MD5
7d52884b375ce8b6182f1c53f0f1c496

SHA1
6b70e90b0dada8d93c61caa678e76ce2abcbc76b

SHA256
9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

SHA512
24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

Download Submit
C:\Users\Admin\AppData\Local\Temp\16667.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\16667.exe

MD5
c4f7ad9cdb934e4414e2cf58eb0062d1

SHA1
30268fc11e0ef7e54e219ef0dee3b75734a85c67

SHA256
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8

SHA512
5259699a3a075d41928ec8079e0bdef33176261cc4d63f3287377cc58f01f755468a850abb1c2552245dfb2814c9245f7ff0b77620fd669661ff8edf8cf83a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\39383.jpg

MD5
848278f126f6de8d52622f8436985d77

SHA1
b18ff66c0b66156fc9daf2b30cab31bb646d4542

SHA256
4eef0a6a4c06affa87e1a215fe7fbfe5125e1523391cd703b17b4c611e63ea4b

SHA512
611b206e2ef1a37baddb7516a143028188ba2cff8af0238946b5eea237965561566080672467fe5b7addaede509b8ce920e61066a023bb7e255e70e01c33fb05

Download Submit
memory/2148-4-0x0000000000000000-mapping.dmp

Download
memory/3584-0-0x0000000000000000-mapping.dmp

Download
memory/3828-7-0x0000000000000000-mapping.dmp

Download
memory/3828-13-0x0000000005390000-0x0000000005461000-memory.dmp

Filesize
836KB

Download
memory/3920-1-0x0000000000000000-mapping.dmp

Download