Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HkObDPju6Z.exe

Overview

General Information

Sample Name:HkObDPju6Z.exe
Analysis ID:886219
MD5:6441d7260944bcedc5958c5c8a05d16d
SHA1:46257982840493eca90e051ff1749e7040895584
SHA256:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
Infos:

Detection

BlackBasta
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Contains functionality to modify clipboard data
May disable shadow drive data (uses vssadmin)
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • HkObDPju6Z.exe (PID: 332 cmdline: C:\Users\user\Desktop\HkObDPju6Z.exe MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 312 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • vssadmin.exe (PID: 8948 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
    • cmd.exe (PID: 3944 cmdline: cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • notepad.exe (PID: 1352 cmdline: notepad.exe c:\instructions_read_me.txt MD5: E92D3A824A0578A50D2DD81B5060145F)
  • HkObDPju6Z.exe (PID: 1508 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 3292 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • vssadmin.exe (PID: 4644 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • HkObDPju6Z.exe (PID: 5560 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 1808 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • vssadmin.exe (PID: 8264 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Black Basta"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
    0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
      00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
        0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
          0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.3.HkObDPju6Z.exe.28f0000.0.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
              14.3.HkObDPju6Z.exe.2980000.0.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                14.2.HkObDPju6Z.exe.2a90000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                  10.2.HkObDPju6Z.exe.2a40000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                    3.3.HkObDPju6Z.exe.2f20000.0.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: HkObDPju6Z.exeReversingLabs: Detection: 59%
                      Source: HkObDPju6Z.exeVirustotal: Detection: 69%Perma Link
                      Machine Learning detection for sample
                      Source: HkObDPju6Z.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A7ECB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,10_2_02A7ECB0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A7F280 CryptReleaseContext,10_2_02A7F280
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A7F390 CryptGenRandom,CryptReleaseContext,10_2_02A7F390
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AEA750 CryptReleaseContext,10_2_02AEA750
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\DESIGNER\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\PackageManifests\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Updates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Update Health Tools\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\META-INF\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\af-ZA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ar\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\az-Latn-AZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\bg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\bs-Latn-BA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ca-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\cs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\cy-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\da\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\de\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\el-GR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\es\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\es-MX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\et\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\eu-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fa-IR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fi\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fr-CA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\gl-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\he\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\hr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\hu\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\id\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\is-IS\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\it\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ja\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ka-GE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\kk-KZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ko\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\lt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\lv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ms-MY\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\nb\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\nl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\nn-NO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\pl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\pt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\pt-PT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ro\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ru\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sq-AL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sr-Cyrl-BA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sr-latn\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\th\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\tr-TR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\uk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ux\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\vi\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\zh-hans\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\zh-hant\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\Audio\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ar-sa\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\bg-bg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\cs-sz\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\da-dk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\de-de\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\el-gr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\en-gb\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\en-us\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\es-es\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\es-mx\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\et-ee\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\fi-fi\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\fr-ca\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\fr-fr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\he-il\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\hr-hr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\hu-hu\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\it-it\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ja-jp\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ko-kr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\lt-lt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\lv-lv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\nb-no\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\nl-nl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\pl-pl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\pt-br\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\pt-pt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ro-ro\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ru-ru\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sk-sk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sl-latn-rs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sl-si\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sv-se\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\th-th\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\tr-tr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\uk-ua\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\zh-cn\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\zh-tw\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Client\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Document Themes 16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\fre\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Integration\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Licenses\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Licenses16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\loc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Office15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\rsod\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Templates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\vfs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\vreg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Updates\Apply\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Updates\Download\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\META-INF\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ux\resources\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ux\static\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\Audio\HDA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\instructions_read_me.txtJump to behavior
                      Source: HkObDPju6Z.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
                      Source: Binary string: rocess-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
                      Source: Binary string: K0S\ship\lobiclient\x-none\EntityPicker.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000{ source: EntityPicker.dll.3.dr
                      Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb0000000000000 source: MSBARCODE.DLL.3.dr
                      Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdbBB"! source: ChakraCore.Debugger.dll.3.dr
                      Source: Binary string: G0.pdb source: api-ms-win-core-xstate-l2-1-0.dll.3.dr
                      Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb source: MSBARCODE.DLL.3.dr
                      Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: INTLDATE.DLL.3.dr
                      Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb source: INTLDATE.DLL.3.dr
                      Source: Binary string: S\ship\lobiclient\x-none\EntityPicker.pdb source: EntityPicker.dll.3.dr
                      Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb source: Interceptor.dll.3.dr
                      Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb0000000000000000000000000000000000000 source: Interceptor.dll.3.dr
                      Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdb source: ChakraCore.Debugger.dll.3.dr
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0083605C FindFirstFileExW,10_2_0083605C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EE3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,10_2_007EE3D0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00836446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00836446
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4CB30 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount,10_2_02A4CB30
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AD8642 FindFirstFileExW,10_2_02AD8642
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4C4FE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,10_2_02A4C4FE

                      Networking

                      barindex
                      Found Tor onion address
                      Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exeString found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65 *!* To access .onion websites downlo
                      Source: HkObDPju6Z.exeString found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites downlo
                      Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22779639838.0000000000D20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855902907.0000000002900000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt46.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt51.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt79.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt78.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt39.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt13.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt21.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt38.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt40.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt15.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt57.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt71.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt6.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt69.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt30.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt54.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt2.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt18.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt41.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: ChakraCore.Debugger.dll.3.drString found in binary or memory: http://crl.mi)
                      Source: C2RINTL.vi-vn.dll.3.dr, Interceptor.dll.3.dr, MSBARCODE.DLL.3.drString found in binary or memory: http://crl.mic
                      Source: inventory.dll.3.drString found in binary or memory: http://crl.mic&
                      Source: api-ms-win-crt-stdio-l1-1-0.dll.3.drString found in binary or memory: http://crl.micro
                      Source: api-ms-win-core-xstate-l2-1-0.dll.3.drString found in binary or memory: http://crl.micrpNi
                      Source: MAPISHELL.DLL.3.drString found in binary or memory: http://crl.miy
                      Source: ProjectPro2019VL_MAK_AE-pl.xrm-ms.3.drString found in binary or memory: http://www.microsoft.
                      Source: HkObDPju6Z.exe, 00000003.00000003.22622038049.0000000001070000.00000004.00000020.00020000.00000000.sdmp, C2RINTL.ru-ru.dll.3.dr, AccessR_Grace-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.microsoft.c
                      Source: ProjectProCO365R_Subscription-pl.xrm-ms.3.dr, Access2021VL_MAK_AE-pl.xrm-ms.3.dr, Publisher2021R_Retail2-pl.xrm-ms.3.drString found in binary or memory: http://www.microsoft.co
                      Source: O365EduCloudEDUR_Subscription-pl.xrm-ms.3.drString found in binary or memory: http://www.microsoft.cog
                      Source: StartMenu_Win8.mp4.3.dr, StartMenu_Win10_RTL.mp4.3.drString found in binary or memory: http://www.videolan.org/x264.html
                      Source: ProjectPro2021VL_MAK_AE1-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.
                      Source: Publisher2019R_Retail-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.5(
                      Source: ProjectProCO365R_SubTest-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.L
                      Source: Standard2021MSDNR_Retail-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.i
                      Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr, Publisher2021R_Trial-ul-oob.xrm-ms.3.dr, Standard2021R_Retail-ul-oob.xrm-ms.3.dr, Access2021R_Retail-pl.xrm-ms.3.dr, ProPlusVL_KMS_Client-ul.xrm-ms.3.dr, Standard2019VL_MAK_AE-ul-phn.xrm-ms.3.drString found in binary or memory: http://www.w3.o
                      Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.od9(
                      Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr, Access2021VL_MAK_AE-ul-oob.xrm-ms.3.dr, Standard2021R_Trial-ul-oob.xrm-ms.3.dr, Access2019VL_MAK_AE-ul-oob.xrm-ms.3.dr, ProfessionalR_Trial-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.or
                      Source: VisioPro2019R_Grace-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.orQZ
                      Source: Standard2019R_Grace-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.orRR
                      Source: Standard2021R_Grace-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.oro
                      Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.drString found in binary or memory: http://www.w3.orqq5
                      Source: HkObDPju6Z.exe, HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22779639838.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22855902907.0000000002900000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, instructions_read_me.txt46.3.dr, instructions_read_me.txt51.3.dr, instructions_read_me.txt79.3.dr, instructions_read_me.txt78.3.dr, instructions_read_me.txt39.3.dr, instructions_read_me.txt13.3.dr, instructions_read_me.txt21.3.dr, instructions_read_me.txt38.3.dr, instructions_read_me.txt40.3.dr, instructions_read_me.txt15.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt71.3.dr, instructions_read_me.txt6.3.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: inventory.dll.3.drString found in binary or memory: https://clients.config.office.net/collec
                      Source: inventory.dll.3.drString found in binary or memory: https://docs.live-tst.net/skydocsservice.svc
                      Source: ProjectProCO365R_SubTest-ul-oob.xrm-ms.3.drString found in binary or memory: https://go.mJ
                      Source: ProjectPro2021VL_MAK_AE1-ul-oob.xrm-ms.3.drString found in binary or memory: https://go.mi
                      Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.drString found in binary or memory: https://go.mic
                      Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.drString found in binary or memory: https://go.micd1t
                      Source: Standard2021MSDNR_Retail-ul-oob.xrm-ms.3.drString found in binary or memory: https://go.microso
                      Source: Publisher2021R_Trial-ul-oob.xrm-ms.3.drString found in binary or memory: https://go.microsoft.c
                      Source: inventory.dll.3.drString found in binary or memory: https://graph.microsoft.us
                      Source: inventory.dll.3.drString found in binary or memory: https://graph.microsoft.uslogin.microsoftonline.ushttps://microsoftgraph.chinacloudapi.cnlogin.us3
                      Source: ProjectPro2021VL_KMS_Client_AE-ul-oob.xrm-ms.3.drString found in binary or memory: https://licensing.mic
                      Source: SkypeforBusiness2019R_Trial-ppd.xrm-ms.3.drString found in binary or memory: https://licensing.micro.
                      Source: Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr, O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.3.drString found in binary or memory: https://licensing.microso
                      Source: O365HomePremR_Subscription5-ul-oob.xrm-ms.3.drString found in binary or memory: https://licensing.microsoft
                      Source: Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr, ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.3.drString found in binary or memory: https://licensing.microsoft.c
                      Source: inventory.dll.3.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf
                      Source: inventory.dll.3.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf
                      Source: inventory.dll.3.drString found in binary or memory: https://login.live.com/oauth20_token.srfhttps://8
                      Source: inventory.dll.3.drString found in binary or memory: https://login.live.com00000000480728C5T
                      Source: inventory.dll.3.drString found in binary or memory: https://login.mi7
                      Source: inventory.dll.3.drString found in binary or memory: https://login.microsoftonline.com/common
                      Source: inventory.dll.3.drString found in binary or memory: https://login.microsoftonline.com/commonSetAuthorityAttempted
                      Source: inventory.dll.3.drString found in binary or memory: https://login.microsoftonline.de/common
                      Source: inventory.dll.3.drString found in binary or memory: https://login.microsoftonline.de/commonmicrosoftonline.demicrosoftonline.mil3
                      Source: inventory.dll.3.drString found in binary or memory: https://login.windows.localPath
                      Source: inventory.dll.3.drString found in binary or memory: https://microsoftgraph.chinacloudapi.cn
                      Source: inventory.dll.3.drString found in binary or memory: https://odc.officeapps.l=
                      Source: inventory.dll.3.drString found in binary or memory: https://odc.officeapps.live.com/odc/emailhrd/getidp
                      Source: inventory.dll.3.drString found in binary or memory: https://odc.officeapps.live.com/odc/emailhrd/getidp?domain=X-CorrelationIdX-Office-PlatformX-Officey
                      Source: inventory.dll.3.drString found in binary or memory: https://profile.live.com/home
                      Source: inventory.dll.3.drString found in binary or memory: https://substrate.office.com/profile/v1.0/me/profile
                      Source: inventory.dll.3.drString found in binary or memory: https://substrate.office.com/profile/v1.0/me/profileaccountspassportMemberNamephonesphoneNumbername
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.flos-freeware.ch
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.rizonesoft.com
                      Source: HkObDPju6Z.exe, HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, instructions_read_me.txt46.3.dr, instructions_read_me.txt51.3.dr, instructions_read_me.txt79.3.dr, instructions_read_me.txt78.3.dr, instructions_read_me.txt39.3.dr, instructions_read_me.txt13.3.dr, instructions_read_me.txt21.3.dr, instructions_read_me.txt38.3.dr, instructions_read_me.txt40.3.dr, instructions_read_me.txt15.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt71.3.dr, instructions_read_me.txt6.3.dr, instructions_read_me.txt69.3.dr, instructions_read_me.txt30.3.drString found in binary or memory: https://www.torproject.org/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to modify clipboard data
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EBE50 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,10_2_007EBE50
                      Source: inventory.dll.3.drBinary or memory string: RegisterRawInputDevices
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EBE50 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,10_2_007EBE50

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Yara detected BlackBasta ransomware
                      Source: Yara matchFile source: 10.3.HkObDPju6Z.exe.28f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.HkObDPju6Z.exe.2980000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.HkObDPju6Z.exe.2a90000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.HkObDPju6Z.exe.2a40000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.HkObDPju6Z.exe.2f20000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.HkObDPju6Z.exe.2a90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.HkObDPju6Z.exe.2a40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.HkObDPju6Z.exe.2980000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.HkObDPju6Z.exe.28f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.HkObDPju6Z.exe.2f20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 1508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 5560, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 1352, type: MEMORYSTR
                      Found ransom note / readme
                      Source: C:\instructions_read_me.txtDropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat.Jump to dropped file
                      May disable shadow drive data (uses vssadmin)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Writes a notice file (html or txt) to demand a ransom
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\$WinREAgent\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Intel\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\PerfLogs\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files (x86)\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\ProgramData\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Users\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\$WinREAgent\Scratch\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Deletes shadow drive data (may be related to ransomware)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 00000005.00000003.22578239684.0000000002BFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ndows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000005.00000002.22583742097.0000000002B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000005.00000002.22583742097.0000000002B90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
                      Source: cmd.exe, 00000005.00000002.22584071859.0000000003060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSER
                      Source: cmd.exe, 00000005.00000002.22584071859.0000000003060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietxJ
                      Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=J
                      Source: vssadmin.exe, 00000007.00000002.22582396603.000002558A8A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\DefaultZ
                      Source: vssadmin.exe, 00000007.00000002.22582396603.000002558A8A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 00000007.00000002.22582924443.000002558AB45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietl[T
                      Source: HkObDPju6Z.exeBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietqIZ
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietVHR
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22772911645.00000000005E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.22771243764.00000000034B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSERA
                      Source: cmd.exe, 0000000B.00000002.22771243764.00000000034B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.22770295956.0000000002F60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000B.00000002.22770295956.0000000002F60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
                      Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52477000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00004644- TID: 00003096- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001
                      Source: vssadmin.exe, 0000000D.00000002.22768372963.0000021C52695000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default\
                      Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52470000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet8D[
                      Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22852179285.0000000000740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 0000000F.00000002.22850487846.0000000002D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000F.00000002.22850487846.0000000002D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
                      Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietV3
                      Source: cmd.exe, 0000000F.00000002.22851185178.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSER
                      Source: cmd.exe, 0000000F.00000002.22851185178.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 00000011.00000002.22848700588.000001451D255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D085000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00008264- TID: 00006180- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001
                      Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D085000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00008264- TID: 00006180- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001 1
                      Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default2
                      Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietv
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007D4B9010_2_007D4B90
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0081A18410_2_0081A184
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0080415010_2_00804150
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_008182A610_2_008182A6
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0080459010_2_00804590
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0081A5A510_2_0081A5A5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_008485C010_2_008485C0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_008185EE10_2_008185EE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EA80010_2_007EA800
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0081A9D510_2_0081A9D5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0081894510_2_00818945
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00818C8D10_2_00818C8D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00830EC210_2_00830EC2
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007E8FD010_2_007E8FD0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0081901B10_2_0081901B
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0080107A10_2_0080107A
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_008193B810_2_008193B8
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0081974610_2_00819746
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F993110_2_007F9931
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00819AAB10_2_00819AAB
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0083BAE110_2_0083BAE1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00803BD010_2_00803BD0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00801B5110_2_00801B51
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0083FDBC10_2_0083FDBC
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F7DE310_2_007F7DE3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00819E1F10_2_00819E1F
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4CB3010_2_02A4CB30
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A435D010_2_02A435D0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AC020C10_2_02AC020C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AD621910_2_02AD6219
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A8803010_2_02A88030
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4E18110_2_02A4E181
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A6A19010_2_02A6A190
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A9A11010_2_02A9A110
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AD06BC10_2_02AD06BC
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A826E010_2_02A826E0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A9A61010_2_02A9A610
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4C4FE10_2_02A4C4FE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A9045010_2_02A90450
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AC059A10_2_02AC059A
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: String function: 007F3DA0 appears 64 times
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: String function: 00835B17 appears 36 times
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: String function: 00833118 appears 54 times
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess Stats: CPU usage > 98%
                      Source: HkObDPju6Z.exe, 00000003.00000000.22535515296.00000000008EE000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: HkObDPju6Z.exe, 0000000A.00000000.22714777048.00000000008EE000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22854546352.00000000008EE000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: HkObDPju6Z.exeBinary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
                      Source: C:\Windows\System32\vssadmin.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: fdgmnfmfhdfgsndhfd.dllJump to behavior
                      Source: C:\Windows\System32\vssadmin.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSection loaded: fdgmnfmfhdfgsndhfd.dllJump to behavior
                      Source: C:\Windows\System32\vssadmin.exeSection loaded: edgegdi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeSection loaded: edgegdi.dllJump to behavior
                      Source: HkObDPju6Z.exeReversingLabs: Detection: 59%
                      Source: HkObDPju6Z.exeVirustotal: Detection: 69%
                      Source: C:\Windows\System32\vssadmin.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\HkObDPju6Z.exe C:\Users\user\Desktop\HkObDPju6Z.exe
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: unknownProcess created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: unknownProcess created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txt
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txtJump to behavior
                      Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Users\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Users\user\AppData\Local\Temp\fkdjsadasd.icoJump to behavior
                      Source: classification engineClassification label: mal88.rans.spyw.evad.winEXE@21/1025@0/0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007E6080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,10_2_007E6080
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007E2F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree,10_2_007E2F30
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:304:WilStaging_02
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:304:WilStaging_02
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:304:WilStaging_02
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:304:WilStaging_02
                      Source: C:\Windows\SysWOW64\notepad.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:168:WilStaging_02
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F132D LoadResource,10_2_007F132D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCommand line argument: *.*10_2_007E8650
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCommand line argument: TaskbarCreated10_2_007E8650
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCommand line argument: *.*10_2_007E8650
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCommand line argument: TaskbarCreated10_2_007E8650
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: HkObDPju6Z.exeStatic file information: File size 1489920 > 1048576
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\DESIGNER\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\PackageManifests\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Updates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Update Health Tools\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\META-INF\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\af-ZA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ar\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\az-Latn-AZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\bg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\bs-Latn-BA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ca-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\cs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\cy-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\da\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\de\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\el-GR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\es\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\es-MX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\et\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\eu-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fa-IR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fi\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\fr-CA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\gl-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\he\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\hr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\hu\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\id\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\is-IS\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\it\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ja\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ka-GE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\kk-KZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ko\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\lt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\lv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ms-MY\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\nb\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\nl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\nn-NO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\pl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\pt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\pt-PT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ro\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ru\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sq-AL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sr-Cyrl-BA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sr-latn\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\sv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\th\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\tr-TR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\uk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ux\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\vi\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\zh-hans\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\zh-hant\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\Audio\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ar-sa\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\bg-bg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\cs-sz\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\da-dk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\de-de\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\el-gr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\en-gb\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\en-us\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\es-es\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\es-mx\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\et-ee\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\fi-fi\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\fr-ca\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\fr-fr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\he-il\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\hr-hr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\hu-hu\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\it-it\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ja-jp\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ko-kr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\lt-lt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\lv-lv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\nb-no\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\nl-nl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\pl-pl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\pt-br\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\pt-pt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ro-ro\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\ru-ru\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sk-sk\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sl-latn-rs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sl-si\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\sv-se\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\th-th\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\tr-tr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\uk-ua\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\zh-cn\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\ruxim\zh-tw\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Client\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Document Themes 16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\fre\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Integration\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Licenses\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Licenses16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\loc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Office15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\rsod\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\Templates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\vfs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\root\vreg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Updates\Apply\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Updates\Download\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\META-INF\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ux\resources\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\PCHealthCheck\ux\static\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Realtek\Audio\HDA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\instructions_read_me.txtJump to behavior
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_CURSOR
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_BITMAP
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_ICON
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_MENU
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_DIALOG
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_STRING
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_ACCELERATOR
                      Source: HkObDPju6Z.exeStatic PE information: section name: RT_GROUP_ICON
                      Source: HkObDPju6Z.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: HkObDPju6Z.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
                      Source: Binary string: rocess-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
                      Source: Binary string: K0S\ship\lobiclient\x-none\EntityPicker.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000{ source: EntityPicker.dll.3.dr
                      Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb0000000000000 source: MSBARCODE.DLL.3.dr
                      Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdbBB"! source: ChakraCore.Debugger.dll.3.dr
                      Source: Binary string: G0.pdb source: api-ms-win-core-xstate-l2-1-0.dll.3.dr
                      Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb source: MSBARCODE.DLL.3.dr
                      Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: INTLDATE.DLL.3.dr
                      Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb source: INTLDATE.DLL.3.dr
                      Source: Binary string: S\ship\lobiclient\x-none\EntityPicker.pdb source: EntityPicker.dll.3.dr
                      Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb source: Interceptor.dll.3.dr
                      Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb0000000000000000000000000000000000000 source: Interceptor.dll.3.dr
                      Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdb source: ChakraCore.Debugger.dll.3.dr
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EA240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,10_2_007EA240
                      Source: initial sampleStatic PE information: section name: .data entropy: 7.357984406581138
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EFF10 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW,10_2_007EFF10
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F04A0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree,10_2_007F04A0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F0AF0 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,10_2_007F0AF0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007E8FD0 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups,10_2_007E8FD0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007ED9AB lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,10_2_007ED9AB
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A9E195 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_02A9E195
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeAPI coverage: 4.0 %
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F2503 VirtualQuery,GetSystemInfo,10_2_007F2503
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0083605C FindFirstFileExW,10_2_0083605C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EE3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,10_2_007EE3D0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00836446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00836446
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4CB30 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount,10_2_02A4CB30
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AD8642 FindFirstFileExW,10_2_02AD8642
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02A4C4FE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,10_2_02A4C4FE
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exeUsers\
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservicek
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exees(
                      Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
                      Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxserviceGW
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00820E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00820E7D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007EA240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,10_2_007EA240
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0083897F GetProcessHeap,10_2_0083897F
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_0082A542 mov ecx, dword ptr fs:[00000030h]10_2_0082A542
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833B9D mov eax, dword ptr fs:[00000030h]10_2_00833B9D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833BE0 mov eax, dword ptr fs:[00000030h]10_2_00833BE0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833C23 mov eax, dword ptr fs:[00000030h]10_2_00833C23
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833C7E mov eax, dword ptr fs:[00000030h]10_2_00833C7E
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833D88 mov eax, dword ptr fs:[00000030h]10_2_00833D88
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833DCC mov eax, dword ptr fs:[00000030h]10_2_00833DCC
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833DFD mov eax, dword ptr fs:[00000030h]10_2_00833DFD
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833D44 mov eax, dword ptr fs:[00000030h]10_2_00833D44
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00820E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00820E7D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F3225 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_007F3225
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F39B3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_007F39B3
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F3B49 SetUnhandledExceptionFilter,10_2_007F3B49
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AB23C5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_02AB23C5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AB25C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_02AB25C2
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txtJump to behavior
                      Source: HkObDPju6Z.exeBinary or memory string: Shell_TrayWnd
                      Source: HkObDPju6Z.exeBinary or memory string: MAuxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
                      Source: HkObDPju6Z.exe, 00000003.00000000.22534600236.000000000084E000.00000002.00000001.01000000.00000004.sdmp, HkObDPju6Z.exe, 0000000A.00000000.22713856029.000000000084E000.00000002.00000001.01000000.00000004.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22774896316.000000000084E000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: M~uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\instructions_read_me.txt VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,10_2_0083C076
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,10_2_0083C381
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,10_2_0083C318
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: ResolveLocaleName,GetLocaleInfoEx,10_2_007E8460
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_0083C4A7
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx,10_2_007E84F0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,10_2_0083C41C
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,10_2_0083C6FA
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW,10_2_007E66E0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_0083C823
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_0083C9F8
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,10_2_0083C929
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,10_2_00832B14
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,10_2_00832CA5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: EnumSystemLocalesW,10_2_00832C73
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,10_2_007F0EC9
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: LCIDToLocaleName,GetLocaleInfoEx,10_2_007F114B
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,10_2_008335D2
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,10_2_02ADC284
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_02ADC353
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,10_2_02ADC055
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_02ADC17E
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007F3BB6 cpuid 10_2_007F3BB6
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_00833611 GetSystemTimeAsFileTime,10_2_00833611
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_02AD8178 GetTimeZoneInformation,10_2_02AD8178
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 10_2_007E8650 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,CreateSolidBrush,CreateSolidBrush,CreateSolidBrush,10_2_007E8650
                      Source: HkObDPju6Z.exe, 00000003.00000003.22699680641.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22688330089.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22701642269.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22691417722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22714149600.00000000044B6000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22709498761.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22710230787.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22693481787.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22693632051.00000000044AA000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22673821964.00000000044A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\\Program Files\Windows Defender\MsMpEng.exe
                      Source: HkObDPju6Z.exe, 00000003.00000003.22658154530.00000000044AC000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22653448073.00000000044AC000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22647199873.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22652004226.0000000004497000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22656570562.00000000044A7000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22655892664.00000000044A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2
                      Command and Scripting Interpreter                      		1
                      DLL Side-Loading                      		12
                      Process Injection                      		3
                      Masquerading                      		11
                      Input Capture                      		2
                      System Time Discovery                      		Remote Services11
                      Input Capture                      		Exfiltration Over Other Network Medium2
                      Encrypted Channel                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		12
                      Process Injection                      		LSASS Memory31
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Archive Collected Data                      		Exfiltration Over Bluetooth1
                      Proxy                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                      Deobfuscate/Decode Files or Information                      		Security Account Manager1
                      Process Discovery                      		SMB/Windows Admin Shares11
                      Clipboard Data                      		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                      Obfuscated Files or Information                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Software Packing                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      DLL Side-Loading                      		Cached Domain Credentials35
                      System Information Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                      File Deletion                      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 886219 Sample: HkObDPju6Z.exe Startdate: 12/06/2023 Architecture: WINDOWS Score: 88 48 Multi AV Scanner detection for submitted file 2->48 50 Found ransom note / readme 2->50 52 Yara detected BlackBasta ransomware 2->52 54 3 other signatures 2->54 7 HkObDPju6Z.exe 503 2->7         started        11 HkObDPju6Z.exe 2 2->11         started        13 HkObDPju6Z.exe 2 2->13         started        process3 file4 40 C:\instructions_read_me.txt, ASCII 7->40 dropped 42 C:\Users\instructions_read_me.txt, ASCII 7->42 dropped 44 C:\ProgramData\instructions_read_me.txt, ASCII 7->44 dropped 46 23 other files (7 malicious) 7->46 dropped 56 Writes a notice file (html or txt) to demand a ransom 7->56 58 Contains functionality to modify clipboard data 7->58 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 11->20         started        22 cmd.exe 1 13->22         started        signatures5 process6 signatures7 60 May disable shadow drive data (uses vssadmin) 15->60 62 Deletes shadow drive data (may be related to ransomware) 15->62 24 conhost.exe 15->24         started        26 vssadmin.exe 1 15->26         started        28 notepad.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 vssadmin.exe 1 20->34         started        36 conhost.exe 22->36         started        38 vssadmin.exe 1 22->38         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.