Windows Analysis Report
HkObDPju6Z.exe

AV Detection

Source: HkObDPju6Z.exe	ReversingLabs: Detection: 59%
Source: HkObDPju6Z.exe	Virustotal: Detection: 63%			Perma Link

Source: HkObDPju6Z.exe

Avira: detected

Source: HkObDPju6Z.exe

Joe Sandbox ML: detected

Compliance

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Unpacked PE file: 6.2.HkObDPju6Z.exe.3600000.1.unpack
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Unpacked PE file: 8.2.HkObDPju6Z.exe.3220000.1.unpack

Source: HkObDPju6Z.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Google\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\MSBuild\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\UNP\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Security\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\images\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\SIGNUP\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\UNP\Logs\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\UNP\UpdateNotificationMgr\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\accessories\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\tabletextservice\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\Filters\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\VC\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\vgx\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\ado\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\msadc\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\ole db\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\Office16\1033\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\Office16\OneNote\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\accessories\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\tabletextservice\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt			Jump to behavior

Source: HkObDPju6Z.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdbeca.pdb00000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: HfDons\x-none\ocfxca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: Gbqhxds.pdb source: WordMUI.msi.0.dr
Source:	Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
Source:	Binary string: hca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: Gbqhxds.pdbxds.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: ]{Hw\x-none\mshelp\reghh20.pdbh20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: ]{Hw\x-none\mshelp\reghh20.pdb source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdb source: WordMUI.msi.0.dr
Source:	Binary string: _}@actions\x-none\patchca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: ica.pdb source: WordMUI.msi.0.dr
Source:	Binary string: per.pdb source: setup.dll.0.dr
Source:	Binary string: eca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: _}@actions\x-none\patchca.pdbhca.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: h20.pdb source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdbica.pdb0000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdbper.pdb000Ut source: setup.dll.0.dr
Source:	Binary string: HfDons\x-none\ocfxca.pdbxca.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdb source: setup.dll.0.dr
Source:	Binary string: xds.pdb source: WordMUI.msi.0.dr
Source:	Binary string: xca.pdb source: WordMUI.msi.0.dr

Spreading

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0025605C FindFirstFileExW,		6_2_0025605C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0020E3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,		6_2_0020E3D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00256446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		6_2_00256446

Networking

Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt59.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt56.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt74.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt71.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt65.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt2.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Source: PptLR.cab.0.dr	String found in binary or memory: http://office.micro
Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.dr	String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe	String found in binary or memory: https://www.flos-freeware.ch
Source: HkObDPju6Z.exe	String found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
Source: HkObDPju6Z.exe	String found in binary or memory: https://www.rizonesoft.com
Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.dr	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Source: Yara match	File source: 6.2.HkObDPju6Z.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.HkObDPju6Z.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HkObDPju6Z.exe.3220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.HkObDPju6Z.exe.3220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HkObDPju6Z.exe.34e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HkObDPju6Z.exe.34e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HkObDPju6Z.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HkObDPju6Z.exe PID: 7028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: HkObDPju6Z.exe PID: 4652, type: MEMORYSTR

Source: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt

Dropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat.

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab entropy: 7.99965605307			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab entropy: 7.99967707845			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab entropy: 7.99943691441			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab entropy: 7.99980996483			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab entropy: 7.99912178904			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab entropy: 7.99982545137			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab entropy: 7.99993160516			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab entropy: 7.99920950933			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab entropy: 7.99391529268			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab entropy: 7.99989863317			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab entropy: 7.99984999643			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab entropy: 7.99992937711			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab entropy: 7.99992916048			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab entropy: 7.99856329527			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab entropy: 7.99982011438			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt.chm entropy: 7.99491747102			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab entropy: 7.99994142291			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\Program Files (x86)\autoit3\AutoIt.chm.7878kr5jx (copy) entropy: 7.99491747102			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.7878kr5jx (copy) entropy: 7.99994142291			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.7878kr5jx (copy) entropy: 7.99965605307			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.7878kr5jx (copy) entropy: 7.99967707845			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.7878kr5jx (copy) entropy: 7.99943691441			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.7878kr5jx (copy) entropy: 7.99980996483			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.7878kr5jx (copy) entropy: 7.99912178904			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.7878kr5jx (copy) entropy: 7.99982545137			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab.7878kr5jx (copy) entropy: 7.99920950933			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.7878kr5jx (copy) entropy: 7.99391529268			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.7878kr5jx (copy) entropy: 7.99989863317			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab.7878kr5jx (copy) entropy: 7.99984999643			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.7878kr5jx (copy) entropy: 7.99992916048			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.7878kr5jx (copy) entropy: 7.99993160516			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.7878kr5jx (copy) entropy: 7.99856329527			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab.7878kr5jx (copy) entropy: 7.99982011438			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.7878kr5jx (copy) entropy: 7.99992937711			Jump to dropped file

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\Google\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\internet explorer\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\Microsoft Office\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\MSBuild\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	File dropped: C:\Program Files\Reference Assemblies\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.			Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: cmd.exe, 00000001.00000002.374399164.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\ha
Source: cmd.exe, 00000001.00000002.374399164.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000001.00000002.374301135.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000001.00000002.374301135.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
Source: vssadmin.exe, 00000003.00000002.374108724.000001DA56200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\DefaultC
Source: vssadmin.exe, 00000003.00000002.374108724.000001DA56200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000003.00000002.374147559.000001DA564D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietF
Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet!
Source: HkObDPju6Z.exe, 00000006.00000002.463253213.0000000001480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000008.00000002.477494135.00000000011D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: cmd.exe, 0000000A.00000002.461433351.0000000003560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\ha
Source: cmd.exe, 0000000A.00000002.461433351.0000000003560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000A.00000002.460463531.0000000003270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000A.00000002.460463531.0000000003270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 0000000C.00000002.454424473.0000023F78645000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 0000000C.00000002.454362797.000000B53E9AB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006840- TID: 00001768- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78672000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006840- TID: 00001768- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: cmd.exe, 0000000D.00000002.473127980.0000000002DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000D.00000002.473127980.0000000002DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
Source: cmd.exe, 0000000D.00000002.469976377.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\haTw
Source: cmd.exe, 0000000D.00000002.469976377.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Defaultf
Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet"
Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005700- TID: 00005672- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 0000000F.00000002.463695666.0000007A194FB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005700- TID: 00005672- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: vssadmin.exe, 0000000F.00000002.463870704.000001A7DE825000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet9

System Summary

Source: HkObDPju6Z.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_001F4B90		6_2_001F4B90
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00224150		6_2_00224150
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0023A184		6_2_0023A184
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_002382A6		6_2_002382A6
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0023A5A5		6_2_0023A5A5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00224590		6_2_00224590
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_002385EE		6_2_002385EE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_002685C0		6_2_002685C0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0020A800		6_2_0020A800
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00238945		6_2_00238945
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0023A9D5		6_2_0023A9D5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0025EA87		6_2_0025EA87
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00238C8D		6_2_00238C8D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00250EC2		6_2_00250EC2
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00208FD0		6_2_00208FD0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0023901B		6_2_0023901B
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0022107A		6_2_0022107A

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: String function: 00253118 appears 38 times
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: String function: 00213DA0 appears 37 times

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Process Stats: CPU usage > 98%

Source: HkObDPju6Z.exe, 00000000.00000000.355154571.000000000030E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe, 00000006.00000000.395307334.000000000030E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe, 00000008.00000000.415644686.000000000030E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe	Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Section loaded: fdgmnfmfhdfgsndhfd.dll			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Section loaded: fdgmnfmfhdfgsndhfd.dll			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Section loaded: fdgmnfmfhdfgsndhfd.dll			Jump to behavior

Source: HkObDPju6Z.exe	ReversingLabs: Detection: 59%
Source: HkObDPju6Z.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HkObDPju6Z.exe C:\Users\user\Desktop\HkObDPju6Z.exe
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown	Process created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
Source: unknown	Process created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior

Source: C:\Windows\System32\vssadmin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

File created: C:\Users\instructions_read_me.txt

Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

File created: C:\Users\user\AppData\Local\Temp\fkdjsadasd.ico

Jump to behavior

Source: classification engine

Classification label: mal100.rans.spre.evad.winEXE@18/400@0/0

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_00206080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,

6_2_00206080

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_00202F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree,

6_2_00202F30

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1572:120:WilError_01
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Mutant created: \Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_0021132D LoadResource,

6_2_0021132D

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

File created: C:\Program Files\instructions_read_me.txt

Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Command line argument: *.*		6_2_00208650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Command line argument: TaskbarCreated		6_2_00208650

Source: HkObDPju6Z.exe

Static file information: File size 1489920 > 1048576

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Google\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\MSBuild\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\UNP\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Security\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\images\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\internet explorer\SIGNUP\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\UNP\Logs\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\UNP\UpdateNotificationMgr\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\accessories\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\tabletextservice\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\Filters\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\VC\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\vgx\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\ado\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\msadc\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Common Files\system\ole db\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\Office16\1033\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Microsoft Office\Office16\OneNote\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\accessories\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\windows nt\tabletextservice\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt			Jump to behavior

Source: HkObDPju6Z.exe	Static PE information: section name: RT_CURSOR
Source: HkObDPju6Z.exe	Static PE information: section name: RT_BITMAP
Source: HkObDPju6Z.exe	Static PE information: section name: RT_ICON
Source: HkObDPju6Z.exe	Static PE information: section name: RT_MENU
Source: HkObDPju6Z.exe	Static PE information: section name: RT_DIALOG
Source: HkObDPju6Z.exe	Static PE information: section name: RT_STRING
Source: HkObDPju6Z.exe	Static PE information: section name: RT_ACCELERATOR
Source: HkObDPju6Z.exe	Static PE information: section name: RT_GROUP_ICON

Source: HkObDPju6Z.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: HkObDPju6Z.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdbeca.pdb00000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: HfDons\x-none\ocfxca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: Gbqhxds.pdb source: WordMUI.msi.0.dr
Source:	Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
Source:	Binary string: hca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: Gbqhxds.pdbxds.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: ]{Hw\x-none\mshelp\reghh20.pdbh20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: ]{Hw\x-none\mshelp\reghh20.pdb source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdb source: WordMUI.msi.0.dr
Source:	Binary string: _}@actions\x-none\patchca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: ica.pdb source: WordMUI.msi.0.dr
Source:	Binary string: per.pdb source: setup.dll.0.dr
Source:	Binary string: eca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: _}@actions\x-none\patchca.pdbhca.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: h20.pdb source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdbica.pdb0000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdbper.pdb000Ut source: setup.dll.0.dr
Source:	Binary string: HfDons\x-none\ocfxca.pdbxca.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdb source: WordMUI.msi.0.dr
Source:	Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdb source: setup.dll.0.dr
Source:	Binary string: xds.pdb source: WordMUI.msi.0.dr
Source:	Binary string: xca.pdb source: WordMUI.msi.0.dr

Data Obfuscation

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Unpacked PE file: 6.2.HkObDPju6Z.exe.3600000.1.unpack
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Unpacked PE file: 8.2.HkObDPju6Z.exe.3220000.1.unpack

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 0_3_015D38AB pushad ; iretd		0_3_015D38B1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 0_3_015D3D23 pushad ; iretd		0_3_015D3D29
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_001FE947 push esi; ret		6_2_001FE948

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_0020A240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,

6_2_0020A240

Source: initial sample

Static PE information: section name: .data entropy: 7.357984406581138

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to behavior

Boot Survival

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skype			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Skype			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0020FF10 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW,		6_2_0020FF10
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_002104A0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree,		6_2_002104A0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00210AF0 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,		6_2_00210AF0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00208FD0 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups,		6_2_00208FD0

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\HkObDPju6Z.exe TID: 7076	Thread sleep count: 89 > 30			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe TID: 5956	Thread sleep count: 2852 > 30			Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Window / User API: threadDelayed 2852

Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

API coverage: 5.5 %

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_00212503 VirtualQuery,GetSystemInfo,

6_2_00212503

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0025605C FindFirstFileExW,		6_2_0025605C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_0020E3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,		6_2_0020E3D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00256446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		6_2_00256446

Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservicee1
Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray.exen
Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe_
Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice.exeX-

Anti Debugging

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_00240E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00240E7D

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_0020A240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,

6_2_0020A240

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_0025897F GetProcessHeap,

6_2_0025897F

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_0024A542 mov ecx, dword ptr fs:[00000030h]

6_2_0024A542

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00213B49 SetUnhandledExceptionFilter,		6_2_00213B49
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00240E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_00240E7D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: 6_2_00213225 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_00213225

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet			Jump to behavior

Source: HkObDPju6Z.exe, 00000000.00000000.355068028.000000000026E000.00000002.00000001.01000000.00000003.sdmp, HkObDPju6Z.exe, 00000006.00000002.463036591.000000000026E000.00000002.00000001.01000000.00000003.sdmp, HkObDPju6Z.exe, 00000006.00000000.395230533.000000000026E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: M uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Source: HkObDPju6Z.exe	Binary or memory string: Shell_TrayWnd
Source: HkObDPju6Z.exe	Binary or memory string: MAuxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,		6_2_0025C076
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: EnumSystemLocalesW,		6_2_0025C318
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: EnumSystemLocalesW,		6_2_0025C381
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: EnumSystemLocalesW,		6_2_0025C41C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: ResolveLocaleName,GetLocaleInfoEx,		6_2_00208460
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		6_2_0025C4A7
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx,		6_2_002084F0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW,		6_2_002066E0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetLocaleInfoW,		6_2_0025C6FA
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		6_2_0025C823
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetLocaleInfoW,		6_2_0025C929
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		6_2_0025C9F8
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: EnumSystemLocalesW,		6_2_00252B14
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: EnumSystemLocalesW,		6_2_00252C73
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: EnumSystemLocalesW,		6_2_00252CA5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: GetLocaleInfoW,		6_2_00210EC9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe	Code function: LCIDToLocaleName,GetLocaleInfoEx,		6_2_0021114B

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\HkObDPju6Z.exe

Code function: 6_2_00208650 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,CreateSolidBrush,CreateSolidBrush,CreateSolidBrush,

6_2_00208650