Windows Analysis Report
HkObDPju6Z.exe

Overview

General Information

Sample Name: HkObDPju6Z.exe
Analysis ID: 886219
MD5: 6441d7260944bcedc5958c5c8a05d16d
SHA1: 46257982840493eca90e051ff1749e7040895584
SHA256: 723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
Infos:

Detection

BlackBasta
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Contains functionality to modify clipboard data
May disable shadow drive data (uses vssadmin)
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Name Description Attribution Blogpost URLs Link
Black Basta "Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

AV Detection

barindex
Source: HkObDPju6Z.exe ReversingLabs: Detection: 59%
Source: HkObDPju6Z.exe Virustotal: Detection: 69% Perma Link
Source: HkObDPju6Z.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A7ECB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA, 10_2_02A7ECB0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A7F280 CryptReleaseContext, 10_2_02A7F280
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A7F390 CryptGenRandom,CryptReleaseContext, 10_2_02A7F390
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AEA750 CryptReleaseContext, 10_2_02AEA750
Source: HkObDPju6Z.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\DESIGNER\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\PackageManifests\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\af-ZA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ar\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\az-Latn-AZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bs-Latn-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ca-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cy-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\da\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\et\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\eu-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fa-IR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\gl-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\he\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\id\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\is-IS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ja\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ka-GE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\kk-KZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ko\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\lt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\lv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ms-MY\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nb\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nn-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ro\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ru\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sq-AL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sr-Cyrl-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sr-latn\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\th\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\uk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\vi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\zh-hans\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\zh-hant\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\Audio\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ar-sa\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\bg-bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\cs-sz\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\da-dk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\de-de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\el-gr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\en-gb\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\en-us\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\es-es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\es-mx\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\et-ee\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fi-fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fr-ca\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fr-fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\he-il\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\hr-hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\hu-hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\it-it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ja-jp\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ko-kr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\lt-lt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\lv-lv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\nb-no\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\nl-nl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pl-pl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pt-br\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pt-pt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ro-ro\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ru-ru\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sk-sk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sl-latn-rs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sl-si\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sv-se\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\th-th\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\tr-tr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\uk-ua\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\zh-cn\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\zh-tw\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Client\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Document Themes 16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\fre\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Integration\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Licenses\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Licenses16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\loc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Office15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\rsod\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Templates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\vfs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\vreg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\Apply\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\Download\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\resources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\static\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\Audio\HDA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\instructions_read_me.txt Jump to behavior
Source: HkObDPju6Z.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
Source: Binary string: rocess-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: K0S\ship\lobiclient\x-none\EntityPicker.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000{ source: EntityPicker.dll.3.dr
Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb0000000000000 source: MSBARCODE.DLL.3.dr
Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdbBB"! source: ChakraCore.Debugger.dll.3.dr
Source: Binary string: G0.pdb source: api-ms-win-core-xstate-l2-1-0.dll.3.dr
Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb source: MSBARCODE.DLL.3.dr
Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: INTLDATE.DLL.3.dr
Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb source: INTLDATE.DLL.3.dr
Source: Binary string: S\ship\lobiclient\x-none\EntityPicker.pdb source: EntityPicker.dll.3.dr
Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb source: Interceptor.dll.3.dr
Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb0000000000000000000000000000000000000 source: Interceptor.dll.3.dr
Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdb source: ChakraCore.Debugger.dll.3.dr
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083605C FindFirstFileExW, 10_2_0083605C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EE3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 10_2_007EE3D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00836446 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00836446
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4CB30 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 10_2_02A4CB30
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD8642 FindFirstFileExW, 10_2_02AD8642
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4C4FE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose, 10_2_02A4C4FE

Networking

barindex
Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe String found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65 *!* To access .onion websites downlo
Source: HkObDPju6Z.exe String found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites downlo
Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000A.00000002.22779639838.0000000000D20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000E.00000002.22855902907.0000000002900000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt46.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt51.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt79.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt78.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt39.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt13.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt21.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt38.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt40.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt15.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt57.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt71.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt6.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt69.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt30.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt54.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt2.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt18.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt41.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: ChakraCore.Debugger.dll.3.dr String found in binary or memory: http://crl.mi)
Source: C2RINTL.vi-vn.dll.3.dr, Interceptor.dll.3.dr, MSBARCODE.DLL.3.dr String found in binary or memory: http://crl.mic
Source: inventory.dll.3.dr String found in binary or memory: http://crl.mic&
Source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr String found in binary or memory: http://crl.micro
Source: api-ms-win-core-xstate-l2-1-0.dll.3.dr String found in binary or memory: http://crl.micrpNi
Source: MAPISHELL.DLL.3.dr String found in binary or memory: http://crl.miy
Source: ProjectPro2019VL_MAK_AE-pl.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.
Source: HkObDPju6Z.exe, 00000003.00000003.22622038049.0000000001070000.00000004.00000020.00020000.00000000.sdmp, C2RINTL.ru-ru.dll.3.dr, AccessR_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.c
Source: ProjectProCO365R_Subscription-pl.xrm-ms.3.dr, Access2021VL_MAK_AE-pl.xrm-ms.3.dr, Publisher2021R_Retail2-pl.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.co
Source: O365EduCloudEDUR_Subscription-pl.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.cog
Source: StartMenu_Win8.mp4.3.dr, StartMenu_Win10_RTL.mp4.3.dr String found in binary or memory: http://www.videolan.org/x264.html
Source: ProjectPro2021VL_MAK_AE1-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.
Source: Publisher2019R_Retail-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.5(
Source: ProjectProCO365R_SubTest-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.L
Source: Standard2021MSDNR_Retail-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.i
Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr, Publisher2021R_Trial-ul-oob.xrm-ms.3.dr, Standard2021R_Retail-ul-oob.xrm-ms.3.dr, Access2021R_Retail-pl.xrm-ms.3.dr, ProPlusVL_KMS_Client-ul.xrm-ms.3.dr, Standard2019VL_MAK_AE-ul-phn.xrm-ms.3.dr String found in binary or memory: http://www.w3.o
Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.od9(
Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr, Access2021VL_MAK_AE-ul-oob.xrm-ms.3.dr, Standard2021R_Trial-ul-oob.xrm-ms.3.dr, Access2019VL_MAK_AE-ul-oob.xrm-ms.3.dr, ProfessionalR_Trial-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.or
Source: VisioPro2019R_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.orQZ
Source: Standard2019R_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.orRR
Source: Standard2021R_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.oro
Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.orqq5
Source: HkObDPju6Z.exe, HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22779639838.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22855902907.0000000002900000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, instructions_read_me.txt46.3.dr, instructions_read_me.txt51.3.dr, instructions_read_me.txt79.3.dr, instructions_read_me.txt78.3.dr, instructions_read_me.txt39.3.dr, instructions_read_me.txt13.3.dr, instructions_read_me.txt21.3.dr, instructions_read_me.txt38.3.dr, instructions_read_me.txt40.3.dr, instructions_read_me.txt15.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt71.3.dr, instructions_read_me.txt6.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: inventory.dll.3.dr String found in binary or memory: https://clients.config.office.net/collec
Source: inventory.dll.3.dr String found in binary or memory: https://docs.live-tst.net/skydocsservice.svc
Source: ProjectProCO365R_SubTest-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.mJ
Source: ProjectPro2021VL_MAK_AE1-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.mi
Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.mic
Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.micd1t
Source: Standard2021MSDNR_Retail-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.microso
Source: Publisher2021R_Trial-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.microsoft.c
Source: inventory.dll.3.dr String found in binary or memory: https://graph.microsoft.us
Source: inventory.dll.3.dr String found in binary or memory: https://graph.microsoft.uslogin.microsoftonline.ushttps://microsoftgraph.chinacloudapi.cnlogin.us3
Source: ProjectPro2021VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr String found in binary or memory: https://licensing.mic
Source: SkypeforBusiness2019R_Trial-ppd.xrm-ms.3.dr String found in binary or memory: https://licensing.micro.
Source: Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr, O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.3.dr String found in binary or memory: https://licensing.microso
Source: O365HomePremR_Subscription5-ul-oob.xrm-ms.3.dr String found in binary or memory: https://licensing.microsoft
Source: Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr, ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.3.dr String found in binary or memory: https://licensing.microsoft.c
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com/oauth20_token.srfhttps://8
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com00000000480728C5T
Source: inventory.dll.3.dr String found in binary or memory: https://login.mi7
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.com/common
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.com/commonSetAuthorityAttempted
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.de/common
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.de/commonmicrosoftonline.demicrosoftonline.mil3
Source: inventory.dll.3.dr String found in binary or memory: https://login.windows.localPath
Source: inventory.dll.3.dr String found in binary or memory: https://microsoftgraph.chinacloudapi.cn
Source: inventory.dll.3.dr String found in binary or memory: https://odc.officeapps.l=
Source: inventory.dll.3.dr String found in binary or memory: https://odc.officeapps.live.com/odc/emailhrd/getidp
Source: inventory.dll.3.dr String found in binary or memory: https://odc.officeapps.live.com/odc/emailhrd/getidp?domain=X-CorrelationIdX-Office-PlatformX-Officey
Source: inventory.dll.3.dr String found in binary or memory: https://profile.live.com/home
Source: inventory.dll.3.dr String found in binary or memory: https://substrate.office.com/profile/v1.0/me/profile
Source: inventory.dll.3.dr String found in binary or memory: https://substrate.office.com/profile/v1.0/me/profileaccountspassportMemberNamephonesphoneNumbername
Source: HkObDPju6Z.exe String found in binary or memory: https://www.flos-freeware.ch
Source: HkObDPju6Z.exe String found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
Source: HkObDPju6Z.exe String found in binary or memory: https://www.rizonesoft.com
Source: HkObDPju6Z.exe, HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, instructions_read_me.txt46.3.dr, instructions_read_me.txt51.3.dr, instructions_read_me.txt79.3.dr, instructions_read_me.txt78.3.dr, instructions_read_me.txt39.3.dr, instructions_read_me.txt13.3.dr, instructions_read_me.txt21.3.dr, instructions_read_me.txt38.3.dr, instructions_read_me.txt40.3.dr, instructions_read_me.txt15.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt71.3.dr, instructions_read_me.txt6.3.dr, instructions_read_me.txt69.3.dr, instructions_read_me.txt30.3.dr String found in binary or memory: https://www.torproject.org/

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EBE50 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 10_2_007EBE50
Source: inventory.dll.3.dr Binary or memory string: RegisterRawInputDevices
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EBE50 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 10_2_007EBE50

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: 10.3.HkObDPju6Z.exe.28f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.HkObDPju6Z.exe.2980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.HkObDPju6Z.exe.2a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HkObDPju6Z.exe.2a40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.HkObDPju6Z.exe.2f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.HkObDPju6Z.exe.2a90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HkObDPju6Z.exe.2a40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.HkObDPju6Z.exe.2980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.HkObDPju6Z.exe.28f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.HkObDPju6Z.exe.2f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HkObDPju6Z.exe PID: 332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HkObDPju6Z.exe PID: 1508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HkObDPju6Z.exe PID: 5560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: notepad.exe PID: 1352, type: MEMORYSTR
Source: C:\instructions_read_me.txt Dropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\$WinREAgent\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Intel\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\PerfLogs\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Program Files\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Program Files (x86)\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\ProgramData\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Users\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\$WinREAgent\Scratch\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 00000005.00000003.22578239684.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ndows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583742097.0000000002B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000005.00000002.22583742097.0000000002B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
Source: cmd.exe, 00000005.00000002.22584071859.0000000003060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSER
Source: cmd.exe, 00000005.00000002.22584071859.0000000003060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietxJ
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=J
Source: vssadmin.exe, 00000007.00000002.22582396603.000002558A8A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\DefaultZ
Source: vssadmin.exe, 00000007.00000002.22582396603.000002558A8A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000007.00000002.22582924443.000002558AB45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietl[T
Source: HkObDPju6Z.exe Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietqIZ
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietVHR
Source: HkObDPju6Z.exe, 0000000A.00000002.22772911645.00000000005E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22771243764.00000000034B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSERA
Source: cmd.exe, 0000000B.00000002.22771243764.00000000034B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22770295956.0000000002F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000B.00000002.22770295956.0000000002F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00004644- TID: 00003096- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001
Source: vssadmin.exe, 0000000D.00000002.22768372963.0000021C52695000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52470000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default\
Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52470000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet8D[
Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: HkObDPju6Z.exe, 0000000E.00000002.22852179285.0000000000740000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 0000000F.00000002.22850487846.0000000002D10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000F.00000002.22850487846.0000000002D10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietV3
Source: cmd.exe, 0000000F.00000002.22851185178.0000000003270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSER
Source: cmd.exe, 0000000F.00000002.22851185178.0000000003270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000011.00000002.22848700588.000001451D255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D085000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00008264- TID: 00006180- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D085000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00008264- TID: 00006180- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001 1
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default2
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietv
Source: HkObDPju6Z.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007D4B90 10_2_007D4B90
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081A184 10_2_0081A184
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00804150 10_2_00804150
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008182A6 10_2_008182A6
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00804590 10_2_00804590
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081A5A5 10_2_0081A5A5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008485C0 10_2_008485C0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008185EE 10_2_008185EE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EA800 10_2_007EA800
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081A9D5 10_2_0081A9D5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00818945 10_2_00818945
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00818C8D 10_2_00818C8D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00830EC2 10_2_00830EC2
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E8FD0 10_2_007E8FD0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081901B 10_2_0081901B
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0080107A 10_2_0080107A
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008193B8 10_2_008193B8
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00819746 10_2_00819746
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F9931 10_2_007F9931
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00819AAB 10_2_00819AAB
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083BAE1 10_2_0083BAE1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00803BD0 10_2_00803BD0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00801B51 10_2_00801B51
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083FDBC 10_2_0083FDBC
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F7DE3 10_2_007F7DE3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00819E1F 10_2_00819E1F
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4CB30 10_2_02A4CB30
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A435D0 10_2_02A435D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AC020C 10_2_02AC020C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD6219 10_2_02AD6219
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A88030 10_2_02A88030
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4E181 10_2_02A4E181
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A6A190 10_2_02A6A190
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A9A110 10_2_02A9A110
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD06BC 10_2_02AD06BC
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A826E0 10_2_02A826E0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A9A610 10_2_02A9A610
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4C4FE 10_2_02A4C4FE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A90450 10_2_02A90450
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AC059A 10_2_02AC059A
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: String function: 007F3DA0 appears 64 times
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: String function: 00835B17 appears 36 times
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: String function: 00833118 appears 54 times
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process Stats: CPU usage > 98%
Source: HkObDPju6Z.exe, 00000003.00000000.22535515296.00000000008EE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe, 0000000A.00000000.22714777048.00000000008EE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe, 0000000E.00000002.22854546352.00000000008EE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: C:\Windows\System32\vssadmin.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: fdgmnfmfhdfgsndhfd.dll Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: fdgmnfmfhdfgsndhfd.dll Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: edgegdi.dll Jump to behavior
Source: HkObDPju6Z.exe ReversingLabs: Detection: 59%
Source: HkObDPju6Z.exe Virustotal: Detection: 69%
Source: C:\Windows\System32\vssadmin.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HkObDPju6Z.exe C:\Users\user\Desktop\HkObDPju6Z.exe
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txt Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File created: C:\Users\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File created: C:\Users\user\AppData\Local\Temp\fkdjsadasd.ico Jump to behavior
Source: classification engine Classification label: mal88.rans.spyw.evad.winEXE@21/1025@0/0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E6080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW, 10_2_007E6080
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E2F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree, 10_2_007E2F30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:304:WilStaging_02
Source: C:\Windows\SysWOW64\notepad.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:168:WilStaging_02
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F132D LoadResource, 10_2_007F132D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: *.* 10_2_007E8650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: TaskbarCreated 10_2_007E8650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: *.* 10_2_007E8650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: TaskbarCreated 10_2_007E8650
Source: Window Recorder Window detected: More than 3 window changes detected
Source: HkObDPju6Z.exe Static file information: File size 1489920 > 1048576
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\DESIGNER\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\PackageManifests\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\af-ZA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ar\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\az-Latn-AZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bs-Latn-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ca-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cy-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\da\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\et\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\eu-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fa-IR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\gl-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\he\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\id\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\is-IS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ja\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ka-GE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\kk-KZ\instructions_read_me.txt