Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HkObDPju6Z.exe

Overview

General Information

Sample Name:HkObDPju6Z.exe
Original Sample Name:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224.exe
Analysis ID:886219
MD5:6441d7260944bcedc5958c5c8a05d16d
SHA1:46257982840493eca90e051ff1749e7040895584
SHA256:723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
Tags:exe
Infos:

Detection

BlackBasta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Infects executable files (exe, dll, sys, html)
Found Tor onion address
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Writes many files with high entropy
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • HkObDPju6Z.exe (PID: 6028 cmdline: C:\Users\user\Desktop\HkObDPju6Z.exe MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 4148 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 7056 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • HkObDPju6Z.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 6840 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • HkObDPju6Z.exe (PID: 4652 cmdline: "C:\Users\user\Desktop\HkObDPju6Z.exe" MD5: 6441D7260944BCEDC5958C5C8A05D16D)
    • cmd.exe (PID: 5708 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vssadmin.exe (PID: 5700 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Black Basta"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
    00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
      00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
        Process Memory Space: HkObDPju6Z.exe PID: 6028JoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
          Process Memory Space: HkObDPju6Z.exe PID: 7028JoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            6.2.HkObDPju6Z.exe.3600000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
              6.2.HkObDPju6Z.exe.3600000.1.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                8.2.HkObDPju6Z.exe.3220000.1.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                  8.2.HkObDPju6Z.exe.3220000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                    0.3.HkObDPju6Z.exe.34e0000.0.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                      Click to see the 1 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: HkObDPju6Z.exeReversingLabs: Detection: 59%
                      Source: HkObDPju6Z.exeVirustotal: Detection: 63%Perma Link
                      Source: HkObDPju6Z.exeAvira: detected
                      Source: HkObDPju6Z.exeJoe Sandbox ML: detected

                      Compliance

                      barindex
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeUnpacked PE file: 6.2.HkObDPju6Z.exe.3600000.1.unpack
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeUnpacked PE file: 8.2.HkObDPju6Z.exe.3220000.1.unpack
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\internet explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\Logs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\UNP\UpdateNotificationMgr\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\tabletextservice\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Filters\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\vgx\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Common Files\system\ole db\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\1033\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Microsoft Office\Office16\OneNote\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\windows nt\tabletextservice\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: HkObDPju6Z.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdbeca.pdb00000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: HfDons\x-none\ocfxca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: Gbqhxds.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
                      Source: Binary string: hca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: Gbqhxds.pdbxds.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: ]{Hw\x-none\mshelp\reghh20.pdbh20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: ]{Hw\x-none\mshelp\reghh20.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: _}@actions\x-none\patchca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: ica.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: per.pdb source: setup.dll.0.dr
                      Source: Binary string: eca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: _}@actions\x-none\patchca.pdbhca.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: h20.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\abortmsica.pdbica.pdb0000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdbper.pdb000Ut source: setup.dll.0.dr
                      Source: Binary string: HfDons\x-none\ocfxca.pdbxca.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\msicustomactions\x-none\diagnoseca.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: P:\Target\x86\ship\setupexe\x-none\setupbootstrapper.pdb source: setup.dll.0.dr
                      Source: Binary string: xds.pdb source: WordMUI.msi.0.dr
                      Source: Binary string: xca.pdb source: WordMUI.msi.0.dr

                      Spreading

                      barindex
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0025605C FindFirstFileExW,
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020E3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00256446 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

                      Networking

                      barindex
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt59.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt56.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt74.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt71.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt65.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt2.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: PptLR.cab.0.drString found in binary or memory: http://office.micro
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463304811.0000000003440000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477563045.00000000030C0000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.flos-freeware.ch
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
                      Source: HkObDPju6Z.exeString found in binary or memory: https://www.rizonesoft.com
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, instructions_read_me.txt59.0.dr, instructions_read_me.txt56.0.dr, instructions_read_me.txt74.0.dr, instructions_read_me.txt71.0.dr, instructions_read_me.txt65.0.dr, instructions_read_me.txt2.0.drString found in binary or memory: https://www.torproject.org/

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Source: Yara matchFile source: 6.2.HkObDPju6Z.exe.3600000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.HkObDPju6Z.exe.3600000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.HkObDPju6Z.exe.3220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.HkObDPju6Z.exe.3220000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.HkObDPju6Z.exe.34e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.HkObDPju6Z.exe.34e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 6028, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 7028, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HkObDPju6Z.exe PID: 4652, type: MEMORYSTR
                      Source: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtDropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat.
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab entropy: 7.99965605307Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab entropy: 7.99967707845Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab entropy: 7.99943691441Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab entropy: 7.99980996483Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab entropy: 7.99912178904Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab entropy: 7.99982545137Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab entropy: 7.99993160516Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab entropy: 7.99920950933Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab entropy: 7.99391529268
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab entropy: 7.99989863317
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab entropy: 7.99984999643
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab entropy: 7.99992937711Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab entropy: 7.99992916048
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab entropy: 7.99856329527
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab entropy: 7.99982011438
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt.chm entropy: 7.99491747102
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab entropy: 7.99994142291Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\Program Files (x86)\autoit3\AutoIt.chm.7878kr5jx (copy) entropy: 7.99491747102
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.7878kr5jx (copy) entropy: 7.99994142291Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.7878kr5jx (copy) entropy: 7.99965605307Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.7878kr5jx (copy) entropy: 7.99967707845Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.7878kr5jx (copy) entropy: 7.99943691441Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.7878kr5jx (copy) entropy: 7.99980996483Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.7878kr5jx (copy) entropy: 7.99912178904Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.7878kr5jx (copy) entropy: 7.99982545137Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0090-0409-0000-0000000FF1CE}-C\DCFMUI.cab.7878kr5jx (copy) entropy: 7.99920950933Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.7878kr5jx (copy) entropy: 7.99391529268
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.7878kr5jx (copy) entropy: 7.99989863317
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-00E2-0409-0000-0000000FF1CE}-C\OSMUXMUI.cab.7878kr5jx (copy) entropy: 7.99984999643
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.7878kr5jx (copy) entropy: 7.99992916048
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.7878kr5jx (copy) entropy: 7.99993160516Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.7878kr5jx (copy) entropy: 7.99856329527
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-012B-0409-0000-0000000FF1CE}-C\LyncMUI.cab.7878kr5jx (copy) entropy: 7.99982011438
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.7878kr5jx (copy) entropy: 7.99992937711Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\MSOCache\All Users\{90160000-001B-0409-0000-0000000FF1CE}-C\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\MSOCache\All Users\{90160000-002C-0409-0000-0000000FF1CE}-C\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Google\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\internet explorer\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Microsoft Office\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\MSBuild\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeFile dropped: C:\Program Files\Reference Assemblies\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000000.00000003.371931160.00000000034E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374399164.00000000030A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\ha
                      Source: cmd.exe, 00000001.00000002.374399164.00000000030A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374318259.0000000002CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000001.00000002.374301135.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000001.00000002.374301135.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
                      Source: vssadmin.exe, 00000003.00000002.374108724.000001DA56200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\DefaultC
                      Source: vssadmin.exe, 00000003.00000002.374108724.000001DA56200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 00000003.00000002.374147559.000001DA564D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietF
                      Source: HkObDPju6Z.exe, 00000006.00000002.463267031.00000000015D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet!
                      Source: HkObDPju6Z.exe, 00000006.00000002.463253213.0000000001480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
                      Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000006.00000002.463365199.0000000003600000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000008.00000002.477620370.0000000003220000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: HkObDPju6Z.exe, 00000008.00000002.477507649.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: HkObDPju6Z.exe, 00000008.00000002.477494135.00000000011D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.461433351.0000000003560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\ha
                      Source: cmd.exe, 0000000A.00000002.461433351.0000000003560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.460463531.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000A.00000002.460463531.0000000003270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000A.00000002.459523393.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000C.00000002.454424473.0000023F78645000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: vssadmin.exe, 0000000C.00000002.454362797.000000B53E9AB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006840- TID: 00001768- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006840- TID: 00001768- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default
                      Source: vssadmin.exe, 0000000C.00000002.454438071.0000023F78660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473127980.0000000002DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000D.00000002.473127980.0000000002DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultDat=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProg\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersmmon FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProg\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideram Files (xE
                      Source: cmd.exe, 0000000D.00000002.469976377.0000000002DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiets\haTw
                      Source: cmd.exe, 0000000D.00000002.469976377.0000000002DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000D.00000002.473823877.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Defaultf
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet"
                      Source: vssadmin.exe, 0000000F.00000002.463763025.000001A7DE5B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005700- TID: 00005672- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000F.00000002.463695666.0000007A194FB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00005700- TID: 00005672- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3853321935-2125563209-4053062332-1002
                      Source: vssadmin.exe, 0000000F.00000002.463870704.000001A7DE825000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet9
                      Source: HkObDPju6Z.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_001F4B90
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00224150
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023A184
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002382A6
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023A5A5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00224590
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002385EE
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_002685C0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0020A800
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00238945
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023A9D5
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0025EA87
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00238C8D
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00250EC2
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_00208FD0
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0023901B
                      Source: C:\Users\user\Desktop\HkObDPju6Z.exeCode function: 6_2_0022107A