Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:1.exe
Analysis ID:1575387
MD5:fb14aae2ed93a7ddfa718f433f585735
SHA1:34efa21245f1424be44346b2dc0698844dd30f3f
SHA256:d1e0cac795c8f8ef7080d0c96f0240ea18f15d56ee5a17bb6595af01aa641e11
Infos:

Detection

INC Ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected INC Ransomware
AI detected suspicious sample
Changes the wallpaper picture
Contains functionalty to change the wallpaper
Document exploit detected (process start blacklist hit)
Found Tor onion address
Found potential ransomware demand text
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Found potential string decryption / allocating functions
May use bcdedit to modify the Windows boot settings
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • 1.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\1.exe" MD5: FB14AAE2ED93A7DDFA718F433F585735)
    • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • FXSSVC.exe (PID: 2932 cmdline: C:\Windows\system32\fxssvc.exe MD5: 8C6D3BF6997E02544BE68D43DABE2F39)
  • ONENOTE.EXE (PID: 7504 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{AF3AB8FA-AD7A-49AB-B8F2-82D9D57E4E04}.xps" 133787363258030000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)
    • OfficeC2RClient.exe (PID: 7560 cmdline: OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1 MD5: 4F025E7F9ADD3623A8B384BC0C7B18CB)
  • onenoteim.exe (PID: 7604 cmdline: "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca MD5: 56AC82018A550CF0C525F0C7891806F1)
  • cleanup
{"Text Note": "~~~~ INC Ransom ~~~~\r\n\r\n-----> Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\r\nTor Browser Link:\r\n\thttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/\r\n\thttp://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/\r\n\r\nLink for normal browser:\r\n\thttp://incapt.su/\r\n\t\r\n-----> What guarantees are that we won't fool you?\r\nWe are not a politically motivated group and we want nothing more than money.\r\nIf you pay, we will provide you with decryption software and destroy the stolen data.\r\nAfter you pay the ransom, you will quickly restore your systems and make even more money.\r\nTreat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.\r\nOur pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.\r\nIf we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.\r\nYou can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live\r\n\r\n-----> You need to contact us on TOR darknet sites with your personal ID\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from you.\r\nSometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.\r\n\r\nTor Browser Link for chat:\r\n\thttp://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/\r\n\r\nYour personal ID:\r\n\t%id%\r\n\r\n-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!\r\n-----> Don't go to the police or the FBI for help. They won't help you.\r\nThe police will try to prohibit you from paying the ransom in any way.\r\nThe first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.\r\nThis is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.\r\nPaying the ransom to us is much cheaper and more profitable than paying fines and legal fees.\r\nThe police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.\r\nIf you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.\r\nThe police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.\r\nThe police and FBI won't protect you from repeated attacks. \r\n\r\n-----> Don't go to recovery companies!\r\nThey are essentially just middlemen who will make money off you and cheat you.\r\nWe are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.\r\nIf you approached us directly without intermediaries you would pay several times less.\r\n\r\n-----> For those who have cyber insurance against ransomware attacks.\r\nInsurance companies require you to keep your insurance information secret.\r\nIn most cases, we find this information and download it.\r\n\r\n-----> If you do not pay the ransom, we will attack your company again in the future.\r\n", "HTML Note": "<html>\r\n\t<head>\r\n\t\t<title>INC Ransom</title>\r\n\t</head>\r\n\t<body style=\"width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;\">\r\n\t\t<div style=\"display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;\">\r\n\t\t\t<div style=\"width: 80%;\">\r\n                <div style=\"display: flex; flex-direction: column;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Your data is stolen and encrypted.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span>\r\n                    <span style=\"font-size: 14px;\">The sooner you pay the ransom, the sooner your company will be safe.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Blog Tor Browser Link:</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Blog Link for normal browser:</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incapt.su/</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">You need to contact us on TOR darknet sites with your personal ID</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Download and install Tor Browser https://www.torproject.org/</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Chat Tor Browser Link:</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Your personal ID: </span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">%id%</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Don't go to recovery companies!</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">They are essentially just middlemen who will make money off you and cheat you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you approached us directly without intermediaries you would pay several times less.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">For those who have cyber insurance against ransomware attacks.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Insurance companies require you to keep your insurance information secret.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">In most cases, we find this information and download it.</span>\r\n                </div>\r\n            </div>\r\n            <div style=\"width: 80%;\">\r\n                <div style=\"display: flex; flex-direction: column;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">What guarantees are that we won't fool you?</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">We are not a politically motivated group and we want nothing more than money.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you pay, we will provide you with decryption software and destroy the stolen data.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">After you pay the ransom, you will quickly restore your systems and make even more money.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Don't go to the police or the FBI for help. They won't help you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police will try to prohibit you from paying the ransom in any way.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police and FBI won't protect you from repeated attacks.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">If you do not pay the ransom, we will attack your company again in the future.</span>\r\n                </div>\r\n            </div>\r\n\t\t</div>\r\n\t</body>\r\n</html>", "ID": "6755d7b438e2eaa58b4521ef"}
SourceRuleDescriptionAuthorStrings
1.exeJoeSecurity_INCRansomwareYara detected INC RansomwareJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1992603027.00000000005FB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_INCRansomwareYara detected INC RansomwareJoe Security
      00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_INCRansomwareYara detected INC RansomwareJoe Security
        00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_INCRansomwareYara detected INC RansomwareJoe Security
          00000000.00000000.1691485279.00000000005FB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_INCRansomwareYara detected INC RansomwareJoe Security
            00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_INCRansomwareYara detected INC RansomwareJoe Security
              Click to see the 5 entries
              Source: Registry Key setAuthor: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\Users\user\AppData\Local\Temp\\background-image.jpg, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1.exe, ProcessId: 7412, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 1.exeAvira: detected
              Source: 1.exeMalware Configuration Extractor: INC Ransomware {"Text Note": "~~~~ INC Ransom ~~~~\r\n\r\n-----> Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\r\nTor Browser Link:\r\n\thttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/\r\n\thttp://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/\r\n\r\nLink for normal browser:\r\n\thttp://incapt.su/\r\n\t\r\n-----> What guarantees are that we won't fool you?\r\nWe are not a politically motivated group and we want nothing more than money.\r\nIf you pay, we will provide you with decryption software and destroy the stolen data.\r\nAfter you pay the ransom, you will quickly restore your systems and make even more money.\r\nTreat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.\r\nOur pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.\r\nIf we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.\r\nYou can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live\r\n\r\n-----> You need to contact us on TOR darknet sites with your personal ID\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from you.\r\nSometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.\r\n\r\nTor Browser Link for chat:\r\n\thttp://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/\r\n\r\nYour personal ID:\r\n\t%id%\r\n\r\n-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!\r\n-----> Don't go to the police or the FBI for help. They won't help you.\r\nThe police will try to prohibit you from paying the ransom in any way.\r\nThe first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.\r\nThis is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.\r\nPaying the ransom to us is much cheaper and more profitable than paying fines and legal fees.\r\nThe police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.\r\nIf you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.\r\nThe police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.\r\nThe police and FBI won't protect you from repea
              Source: 1.exeVirustotal: Detection: 73%Perma Link
              Source: 1.exeReversingLabs: Detection: 78%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
              Source: 1.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\1.exeCode function: 0_2_005E90C0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,ExitProcess,ExitProcess,SHEmptyRecycleBinA,GetConsoleWindow,ShowWindow,lstrlenW,lstrlenW,lstrlenW,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,0_2_005E90C0
              Source: C:\Users\user\Desktop\1.exeCode function: 0_2_005E5920 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptGenRandom,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyA,lstrlenW,lstrcpyW,CreateIoCompletionPort,ReadFile,InterlockedIncrement,0_2_005E5920
              Source: C:\Users\user\Desktop\1.exeCode function: 0_2_005E6B30 lstrlenA,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,0_2_005E6B30
              Source: 1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\1.exeFile created: C:\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\$WinREAgent\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\$WinREAgent\Scratch\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\PerfLogs\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Adobe\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Adobe\ARM\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\dbg\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\AppV\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\AppV\Setup\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\UserData\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\DSS\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\Keys\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\PCPKSP\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\RSA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Crypto\SystemKeys\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Task\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DeviceSync\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Sideload\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Siufloc\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\SoftLanding\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DiagnosticLogCSP\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DRM\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\DRM\Server\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\EdgeUpdate\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\EdgeUpdate\Log\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\IdentityCRL\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\IdentityCRL\INT\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\IdentityCRL\production\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\MapData\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\MF\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\NetFramework\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Network\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Network\Connections\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Office\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Provisioning\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Provisioning\AssetCache\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Search\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Search\Data\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Search\Data\Temp\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Settings\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Settings\Accounts\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\SmsRouter\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Spectrum\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Speech_OneCore\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Storage Health\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\UEV\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\UEV\InboxTemplates\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\UEV\Scripts\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\UEV\Templates\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Vault\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\WDF\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Clean Store\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Features\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\LocalCopy\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\E3\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\E3\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\BackupStore\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\03\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\05\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Snapshots\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Support\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows NT\MSScan\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\Windows Security Health\Logs\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\WinMSIPC\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\WinMSIPC\Server\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft\WwanSvc\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft OneDrive\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Microsoft OneDrive\setup\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\vcRuntimeMinimum_amd64\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Packages\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txtJump to behavior
              Source: C:\Users\user\Desktop\1.exeFile created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txtJump to behavior</