Windows Analysis Report
HkObDPju6Z.exe

Overview

General Information

Sample Name: HkObDPju6Z.exe
Analysis ID: 886219
MD5: 6441d7260944bcedc5958c5c8a05d16d
SHA1: 46257982840493eca90e051ff1749e7040895584
SHA256: 723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224
Infos:

Detection

BlackBasta
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Contains functionality to modify clipboard data
May disable shadow drive data (uses vssadmin)
Writes a notice file (html or txt) to demand a ransom
Deletes shadow drive data (may be related to ransomware)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Contains functionality to read the PEB
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Name Description Attribution Blogpost URLs Link
Black Basta "Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: HkObDPju6Z.exe ReversingLabs: Detection: 59%
Source: HkObDPju6Z.exe Virustotal: Detection: 69% Perma Link
Machine Learning detection for sample
Source: HkObDPju6Z.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A7ECB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA, 10_2_02A7ECB0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A7F280 CryptReleaseContext, 10_2_02A7F280
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A7F390 CryptGenRandom,CryptReleaseContext, 10_2_02A7F390
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AEA750 CryptReleaseContext, 10_2_02AEA750
Uses 32bit PE files
Source: HkObDPju6Z.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\DESIGNER\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\PackageManifests\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\af-ZA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ar\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\az-Latn-AZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bs-Latn-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ca-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cy-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\da\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\et\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\eu-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fa-IR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\gl-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\he\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\id\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\is-IS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ja\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ka-GE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\kk-KZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ko\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\lt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\lv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ms-MY\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nb\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nn-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ro\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ru\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sq-AL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sr-Cyrl-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sr-latn\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\th\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\uk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\vi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\zh-hans\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\zh-hant\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\Audio\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ar-sa\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\bg-bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\cs-sz\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\da-dk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\de-de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\el-gr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\en-gb\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\en-us\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\es-es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\es-mx\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\et-ee\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fi-fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fr-ca\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fr-fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\he-il\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\hr-hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\hu-hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\it-it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ja-jp\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ko-kr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\lt-lt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\lv-lv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\nb-no\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\nl-nl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pl-pl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pt-br\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pt-pt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ro-ro\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ru-ru\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sk-sk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sl-latn-rs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sl-si\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sv-se\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\th-th\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\tr-tr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\uk-ua\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\zh-cn\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\zh-tw\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Client\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Document Themes 16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\fre\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Integration\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Licenses\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Licenses16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\loc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Office15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\rsod\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Templates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\vfs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\vreg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\Apply\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\Download\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\resources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\static\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\Audio\HDA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\instructions_read_me.txt Jump to behavior
Source: HkObDPju6Z.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
Source: Binary string: rocess-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: K0S\ship\lobiclient\x-none\EntityPicker.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000{ source: EntityPicker.dll.3.dr
Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb0000000000000 source: MSBARCODE.DLL.3.dr
Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdbBB"! source: ChakraCore.Debugger.dll.3.dr
Source: Binary string: G0.pdb source: api-ms-win-core-xstate-l2-1-0.dll.3.dr
Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb source: MSBARCODE.DLL.3.dr
Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: INTLDATE.DLL.3.dr
Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb source: INTLDATE.DLL.3.dr
Source: Binary string: S\ship\lobiclient\x-none\EntityPicker.pdb source: EntityPicker.dll.3.dr
Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb source: Interceptor.dll.3.dr
Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb0000000000000000000000000000000000000 source: Interceptor.dll.3.dr
Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdb source: ChakraCore.Debugger.dll.3.dr
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083605C FindFirstFileExW, 10_2_0083605C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EE3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 10_2_007EE3D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00836446 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00836446
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4CB30 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 10_2_02A4CB30
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD8642 FindFirstFileExW, 10_2_02AD8642
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4C4FE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose, 10_2_02A4C4FE

Networking
barindex
Found Tor onion address
Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe String found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65 *!* To access .onion websites downlo
Source: HkObDPju6Z.exe String found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites downlo
Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000A.00000002.22779639838.0000000000D20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000E.00000002.22855902907.0000000002900000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt46.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt51.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt79.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt78.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt39.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt13.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt21.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt38.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt40.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt15.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt57.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt71.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt6.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt69.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt30.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt54.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt2.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt18.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: instructions_read_me.txt41.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: ChakraCore.Debugger.dll.3.dr String found in binary or memory: http://crl.mi)
Source: C2RINTL.vi-vn.dll.3.dr, Interceptor.dll.3.dr, MSBARCODE.DLL.3.dr String found in binary or memory: http://crl.mic
Source: inventory.dll.3.dr String found in binary or memory: http://crl.mic&
Source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr String found in binary or memory: http://crl.micro
Source: api-ms-win-core-xstate-l2-1-0.dll.3.dr String found in binary or memory: http://crl.micrpNi
Source: MAPISHELL.DLL.3.dr String found in binary or memory: http://crl.miy
Source: ProjectPro2019VL_MAK_AE-pl.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.
Source: HkObDPju6Z.exe, 00000003.00000003.22622038049.0000000001070000.00000004.00000020.00020000.00000000.sdmp, C2RINTL.ru-ru.dll.3.dr, AccessR_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.c
Source: ProjectProCO365R_Subscription-pl.xrm-ms.3.dr, Access2021VL_MAK_AE-pl.xrm-ms.3.dr, Publisher2021R_Retail2-pl.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.co
Source: O365EduCloudEDUR_Subscription-pl.xrm-ms.3.dr String found in binary or memory: http://www.microsoft.cog
Source: StartMenu_Win8.mp4.3.dr, StartMenu_Win10_RTL.mp4.3.dr String found in binary or memory: http://www.videolan.org/x264.html
Source: ProjectPro2021VL_MAK_AE1-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.
Source: Publisher2019R_Retail-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.5(
Source: ProjectProCO365R_SubTest-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.L
Source: Standard2021MSDNR_Retail-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.i
Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr, Publisher2021R_Trial-ul-oob.xrm-ms.3.dr, Standard2021R_Retail-ul-oob.xrm-ms.3.dr, Access2021R_Retail-pl.xrm-ms.3.dr, ProPlusVL_KMS_Client-ul.xrm-ms.3.dr, Standard2019VL_MAK_AE-ul-phn.xrm-ms.3.dr String found in binary or memory: http://www.w3.o
Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.od9(
Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr, Access2021VL_MAK_AE-ul-oob.xrm-ms.3.dr, Standard2021R_Trial-ul-oob.xrm-ms.3.dr, Access2019VL_MAK_AE-ul-oob.xrm-ms.3.dr, ProfessionalR_Trial-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.or
Source: VisioPro2019R_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.orQZ
Source: Standard2019R_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.orRR
Source: Standard2021R_Grace-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.oro
Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.dr String found in binary or memory: http://www.w3.orqq5
Source: HkObDPju6Z.exe, HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22779639838.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22855902907.0000000002900000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, instructions_read_me.txt46.3.dr, instructions_read_me.txt51.3.dr, instructions_read_me.txt79.3.dr, instructions_read_me.txt78.3.dr, instructions_read_me.txt39.3.dr, instructions_read_me.txt13.3.dr, instructions_read_me.txt21.3.dr, instructions_read_me.txt38.3.dr, instructions_read_me.txt40.3.dr, instructions_read_me.txt15.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt71.3.dr, instructions_read_me.txt6.3.dr String found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
Source: inventory.dll.3.dr String found in binary or memory: https://clients.config.office.net/collec
Source: inventory.dll.3.dr String found in binary or memory: https://docs.live-tst.net/skydocsservice.svc
Source: ProjectProCO365R_SubTest-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.mJ
Source: ProjectPro2021VL_MAK_AE1-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.mi
Source: O365HomePremR_SubTrial4-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.mic
Source: O365HomePremR_SubTrial5-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.micd1t
Source: Standard2021MSDNR_Retail-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.microso
Source: Publisher2021R_Trial-ul-oob.xrm-ms.3.dr String found in binary or memory: https://go.microsoft.c
Source: inventory.dll.3.dr String found in binary or memory: https://graph.microsoft.us
Source: inventory.dll.3.dr String found in binary or memory: https://graph.microsoft.uslogin.microsoftonline.ushttps://microsoftgraph.chinacloudapi.cnlogin.us3
Source: ProjectPro2021VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr String found in binary or memory: https://licensing.mic
Source: SkypeforBusiness2019R_Trial-ppd.xrm-ms.3.dr String found in binary or memory: https://licensing.micro.
Source: Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr, O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.3.dr String found in binary or memory: https://licensing.microso
Source: O365HomePremR_Subscription5-ul-oob.xrm-ms.3.dr String found in binary or memory: https://licensing.microsoft
Source: Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.3.dr, ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.3.dr String found in binary or memory: https://licensing.microsoft.c
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com/oauth20_token.srfhttps://8
Source: inventory.dll.3.dr String found in binary or memory: https://login.live.com00000000480728C5T
Source: inventory.dll.3.dr String found in binary or memory: https://login.mi7
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.com/common
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.com/commonSetAuthorityAttempted
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.de/common
Source: inventory.dll.3.dr String found in binary or memory: https://login.microsoftonline.de/commonmicrosoftonline.demicrosoftonline.mil3
Source: inventory.dll.3.dr String found in binary or memory: https://login.windows.localPath
Source: inventory.dll.3.dr String found in binary or memory: https://microsoftgraph.chinacloudapi.cn
Source: inventory.dll.3.dr String found in binary or memory: https://odc.officeapps.l=
Source: inventory.dll.3.dr String found in binary or memory: https://odc.officeapps.live.com/odc/emailhrd/getidp
Source: inventory.dll.3.dr String found in binary or memory: https://odc.officeapps.live.com/odc/emailhrd/getidp?domain=X-CorrelationIdX-Office-PlatformX-Officey
Source: inventory.dll.3.dr String found in binary or memory: https://profile.live.com/home
Source: inventory.dll.3.dr String found in binary or memory: https://substrate.office.com/profile/v1.0/me/profile
Source: inventory.dll.3.dr String found in binary or memory: https://substrate.office.com/profile/v1.0/me/profileaccountspassportMemberNamephonesphoneNumbername
Source: HkObDPju6Z.exe String found in binary or memory: https://www.flos-freeware.ch
Source: HkObDPju6Z.exe String found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
Source: HkObDPju6Z.exe String found in binary or memory: https://www.rizonesoft.com
Source: HkObDPju6Z.exe, HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, notepad.exe, 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, instructions_read_me.txt46.3.dr, instructions_read_me.txt51.3.dr, instructions_read_me.txt79.3.dr, instructions_read_me.txt78.3.dr, instructions_read_me.txt39.3.dr, instructions_read_me.txt13.3.dr, instructions_read_me.txt21.3.dr, instructions_read_me.txt38.3.dr, instructions_read_me.txt40.3.dr, instructions_read_me.txt15.3.dr, instructions_read_me.txt57.3.dr, instructions_read_me.txt71.3.dr, instructions_read_me.txt6.3.dr, instructions_read_me.txt69.3.dr, instructions_read_me.txt30.3.dr String found in binary or memory: https://www.torproject.org/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EBE50 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 10_2_007EBE50
Installs a raw input device (often for capturing keystrokes)
Source: inventory.dll.3.dr Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EBE50 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW, 10_2_007EBE50

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected BlackBasta ransomware
Source: Yara match File source: 10.3.HkObDPju6Z.exe.28f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.HkObDPju6Z.exe.2980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.HkObDPju6Z.exe.2a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HkObDPju6Z.exe.2a40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.HkObDPju6Z.exe.2f20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.HkObDPju6Z.exe.2a90000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.HkObDPju6Z.exe.2a40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.HkObDPju6Z.exe.2980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.HkObDPju6Z.exe.28f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.HkObDPju6Z.exe.2f20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.27586886931.0000000003343000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: HkObDPju6Z.exe PID: 332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HkObDPju6Z.exe PID: 1508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: HkObDPju6Z.exe PID: 5560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: notepad.exe PID: 1352, type: MEMORYSTR
Found ransom note / readme
Source: C:\instructions_read_me.txt Dropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 26d371a9-efda-4e82-9989-01e292244d65*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat. Jump to dropped file
May disable shadow drive data (uses vssadmin)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\$WinREAgent\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Intel\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\PerfLogs\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Program Files\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Program Files (x86)\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\ProgramData\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Users\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\$WinREAgent\Scratch\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File dropped: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat. Jump to dropped file
Deletes shadow drive data (may be related to ransomware)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 00000003.00000003.22575159083.0000000002F20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 00000005.00000003.22578239684.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ndows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583742097.0000000002B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000005.00000002.22583742097.0000000002B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
Source: cmd.exe, 00000005.00000002.22584071859.0000000003060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSER
Source: cmd.exe, 00000005.00000002.22584071859.0000000003060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietxJ
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 00000005.00000002.22583794298.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=J
Source: vssadmin.exe, 00000007.00000002.22582396603.000002558A8A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\DefaultZ
Source: vssadmin.exe, 00000007.00000002.22582396603.000002558A8A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000007.00000002.22582924443.000002558AB45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietl[T
Source: HkObDPju6Z.exe Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000003.22756871962.00000000028F0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietqIZ
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietVHR
Source: HkObDPju6Z.exe, 0000000A.00000002.22772911645.00000000005E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000A.00000002.22781985168.0000000002A40000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22769798953.0000000002E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22771243764.00000000034B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSERA
Source: cmd.exe, 0000000B.00000002.22771243764.00000000034B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000B.00000002.22770295956.0000000002F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000B.00000002.22770295956.0000000002F60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00004644- TID: 00003096- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001
Source: vssadmin.exe, 0000000D.00000002.22768372963.0000021C52695000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52470000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default\
Source: vssadmin.exe, 0000000D.00000002.22767624761.0000021C52470000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ws\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet8D[
Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000003.22839485707.0000000002980000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: HkObDPju6Z.exe, 0000000E.00000002.22852179285.0000000000740000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: HkObDPju6Z.exe, 0000000E.00000002.22856927512.0000000002A90000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: xh.7878kr5jxC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: cmd.exe, 0000000F.00000002.22850487846.0000000002D10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000F.00000002.22850487846.0000000002D10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\DefaultpDa=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\A\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiersC:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=16OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 158 Stepping 13, GenuineIn\Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide:\Program Fi5
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: cmd.exe, 0000000F.00000002.22850628903.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietV3
Source: cmd.exe, 0000000F.00000002.22851185178.0000000003270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietUSER
Source: cmd.exe, 0000000F.00000002.22851185178.0000000003270000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000011.00000002.22848700588.000001451D255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D085000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00008264- TID: 00006180- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D085000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00008264- TID: 00006180- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: computer\user, SID:S-1-5-21-3425316567-2969588382-3778222414-1001 1
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default2
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000011.00000002.22847867711.000001451D050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietv
Uses 32bit PE files
Source: HkObDPju6Z.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007D4B90 10_2_007D4B90
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081A184 10_2_0081A184
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00804150 10_2_00804150
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008182A6 10_2_008182A6
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00804590 10_2_00804590
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081A5A5 10_2_0081A5A5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008485C0 10_2_008485C0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008185EE 10_2_008185EE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EA800 10_2_007EA800
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081A9D5 10_2_0081A9D5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00818945 10_2_00818945
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00818C8D 10_2_00818C8D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00830EC2 10_2_00830EC2
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E8FD0 10_2_007E8FD0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0081901B 10_2_0081901B
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0080107A 10_2_0080107A
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_008193B8 10_2_008193B8
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00819746 10_2_00819746
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F9931 10_2_007F9931
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00819AAB 10_2_00819AAB
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083BAE1 10_2_0083BAE1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00803BD0 10_2_00803BD0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00801B51 10_2_00801B51
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083FDBC 10_2_0083FDBC
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F7DE3 10_2_007F7DE3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00819E1F 10_2_00819E1F
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4CB30 10_2_02A4CB30
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A435D0 10_2_02A435D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AC020C 10_2_02AC020C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD6219 10_2_02AD6219
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A88030 10_2_02A88030
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4E181 10_2_02A4E181
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A6A190 10_2_02A6A190
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A9A110 10_2_02A9A110
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD06BC 10_2_02AD06BC
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A826E0 10_2_02A826E0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A9A610 10_2_02A9A610
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4C4FE 10_2_02A4C4FE
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A90450 10_2_02A90450
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AC059A 10_2_02AC059A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: String function: 007F3DA0 appears 64 times
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: String function: 00835B17 appears 36 times
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: String function: 00833118 appears 54 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: HkObDPju6Z.exe, 00000003.00000000.22535515296.00000000008EE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe, 0000000A.00000000.22714777048.00000000008EE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe, 0000000E.00000002.22854546352.00000000008EE000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Source: HkObDPju6Z.exe Binary or memory string: OriginalFilenameminipath.exeD vs HkObDPju6Z.exe
Tries to load missing DLLs
Source: C:\Windows\System32\vssadmin.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: fdgmnfmfhdfgsndhfd.dll Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Section loaded: fdgmnfmfhdfgsndhfd.dll Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Section loaded: edgegdi.dll Jump to behavior
Source: HkObDPju6Z.exe ReversingLabs: Detection: 59%
Source: HkObDPju6Z.exe Virustotal: Detection: 69%
Source: C:\Windows\System32\vssadmin.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HkObDPju6Z.exe C:\Users\user\Desktop\HkObDPju6Z.exe
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: unknown Process created: C:\Users\user\Desktop\HkObDPju6Z.exe "C:\Users\user\Desktop\HkObDPju6Z.exe"
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start /MAX notepad.exe c:\instructions_read_me.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txt Jump to behavior
Source: C:\Windows\System32\vssadmin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File created: C:\Users\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File created: C:\Users\user\AppData\Local\Temp\fkdjsadasd.ico Jump to behavior
Source: classification engine Classification label: mal88.rans.spyw.evad.winEXE@21/1025@0/0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E6080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW, 10_2_007E6080
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E2F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree, 10_2_007E2F30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:304:WilStaging_02
Source: C:\Windows\SysWOW64\notepad.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:168:WilStaging_02
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F132D LoadResource, 10_2_007F132D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe File created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: *.* 10_2_007E8650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: TaskbarCreated 10_2_007E8650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: *.* 10_2_007E8650
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Command line argument: TaskbarCreated 10_2_007E8650
Source: Window Recorder Window detected: More than 3 window changes detected
Source: HkObDPju6Z.exe Static file information: File size 1489920 > 1048576
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Uninstall Information\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Mail\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\DESIGNER\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\Services\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\PackageManifests\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Update Health Tools\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\af-ZA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ar\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\az-Latn-AZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\bs-Latn-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ca-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\cy-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\da\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\et\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\eu-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fa-IR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\gl-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\he\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\id\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\is-IS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ja\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ka-GE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\kk-KZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ko\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\lt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\lv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ms-MY\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nb\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\nn-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ro\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ru\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sq-AL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sr-Cyrl-BA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sr-latn\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\sv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\th\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\uk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\vi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\zh-hans\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\zh-hant\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\Audio\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ar-sa\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\bg-bg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\cs-sz\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\da-dk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\de-de\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\el-gr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\en-gb\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\en-us\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\es-es\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\es-mx\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\et-ee\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fi-fi\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fr-ca\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\fr-fr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\he-il\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\hr-hr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\hu-hu\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\it-it\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ja-jp\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ko-kr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\lt-lt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\lv-lv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\nb-no\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\nl-nl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pl-pl\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pt-br\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\pt-pt\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ro-ro\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\ru-ru\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sk-sk\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sl-latn-rs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sl-si\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\sv-se\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\th-th\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\tr-tr\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\uk-ua\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\zh-cn\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\ruxim\zh-tw\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\UNP\Logs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Photo Viewer\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Client\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Document Themes 16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\fre\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Integration\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Licenses\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Licenses16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\loc\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Office15\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Office16\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\rsod\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Stationery\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\Templates\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\vfs\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\root\vreg\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\Apply\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Microsoft Office\Updates\Download\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\META-INF\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\resources\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\PCHealthCheck\ux\static\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Realtek\Audio\HDA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txt Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Directory created: C:\Program Files\Common Files\microsoft shared\VSTO\10.0\instructions_read_me.txt Jump to behavior
Source: HkObDPju6Z.exe Static PE information: section name: RT_CURSOR
Source: HkObDPju6Z.exe Static PE information: section name: RT_BITMAP
Source: HkObDPju6Z.exe Static PE information: section name: RT_ICON
Source: HkObDPju6Z.exe Static PE information: section name: RT_MENU
Source: HkObDPju6Z.exe Static PE information: section name: RT_DIALOG
Source: HkObDPju6Z.exe Static PE information: section name: RT_STRING
Source: HkObDPju6Z.exe Static PE information: section name: RT_ACCELERATOR
Source: HkObDPju6Z.exe Static PE information: section name: RT_GROUP_ICON
Source: HkObDPju6Z.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: HkObDPju6Z.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: HkObDPju6Z.exe
Source: Binary string: rocess-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: K0S\ship\lobiclient\x-none\EntityPicker.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000{ source: EntityPicker.dll.3.dr
Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb0000000000000 source: MSBARCODE.DLL.3.dr
Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdbBB"! source: ChakraCore.Debugger.dll.3.dr
Source: Binary string: G0.pdb source: api-ms-win-core-xstate-l2-1-0.dll.3.dr
Source: Binary string: d:\dbs\el\may\target\x64\ship\osm\x-none\MSBARCODE.pdb source: MSBARCODE.DLL.3.dr
Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: INTLDATE.DLL.3.dr
Source: Binary string: ;\ship\intldate\x-none\IntlDate.pdb source: INTLDATE.DLL.3.dr
Source: Binary string: S\ship\lobiclient\x-none\EntityPicker.pdb source: EntityPicker.dll.3.dr
Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb source: Interceptor.dll.3.dr
Source: Binary string: d:\dbs\el\jul\target\x64\ship\click2run\x-none\Interceptor.pdb0000000000000000000000000000000000000 source: Interceptor.dll.3.dr
Source: Binary string: D:\Extra\react\chakradbg\arm64\build\bin\x64\Release\ChakraCore.Debugger.pdb source: ChakraCore.Debugger.dll.3.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107D3A8 pushad ; iretd 3_3_0107D3C9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107CF3E pushad ; iretd 3_3_0107CF6D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_01077FD8 pushad ; retf 3_3_010783E1
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 3_3_0107ABF2 push ds; retf 3_3_0107ABF3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EA240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW, 10_2_007EA240
Source: initial sample Static PE information: section name: .data entropy: 7.357984406581138
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EFF10 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW, 10_2_007EFF10
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F04A0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree, 10_2_007F04A0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F0AF0 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos, 10_2_007F0AF0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E8FD0 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups, 10_2_007E8FD0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007ED9AB lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos, 10_2_007ED9AB
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A9E195 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_02A9E195
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\HkObDPju6Z.exe API coverage: 4.0 %
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F2503 VirtualQuery,GetSystemInfo, 10_2_007F2503
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083605C FindFirstFileExW, 10_2_0083605C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EE3D0 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW, 10_2_007EE3D0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00836446 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 10_2_00836446
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4CB30 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount, 10_2_02A4CB30
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD8642 FindFirstFileExW, 10_2_02AD8642
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02A4C4FE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose, 10_2_02A4C4FE
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exeUsers\
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservicek
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exees(
Source: HkObDPju6Z.exe, 0000000E.00000002.22855289387.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe
Source: HkObDPju6Z.exe, 0000000A.00000002.22778769878.0000000000A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxserviceGW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00820E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00820E7D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007EA240 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW, 10_2_007EA240
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0083897F GetProcessHeap, 10_2_0083897F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_0082A542 mov ecx, dword ptr fs:[00000030h] 10_2_0082A542
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833B9D mov eax, dword ptr fs:[00000030h] 10_2_00833B9D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833BE0 mov eax, dword ptr fs:[00000030h] 10_2_00833BE0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833C23 mov eax, dword ptr fs:[00000030h] 10_2_00833C23
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833C7E mov eax, dword ptr fs:[00000030h] 10_2_00833C7E
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833D88 mov eax, dword ptr fs:[00000030h] 10_2_00833D88
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833DCC mov eax, dword ptr fs:[00000030h] 10_2_00833DCC
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833DFD mov eax, dword ptr fs:[00000030h] 10_2_00833DFD
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833D44 mov eax, dword ptr fs:[00000030h] 10_2_00833D44
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00820E7D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00820E7D
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F3225 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_007F3225
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F39B3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_007F39B3
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F3B49 SetUnhandledExceptionFilter, 10_2_007F3B49
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AB23C5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_02AB23C5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AB25C2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_02AB25C2
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\notepad.exe notepad.exe c:\instructions_read_me.txt Jump to behavior
Source: HkObDPju6Z.exe Binary or memory string: Shell_TrayWnd
Source: HkObDPju6Z.exe Binary or memory string: MAuxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Source: HkObDPju6Z.exe, 00000003.00000000.22534600236.000000000084E000.00000002.00000001.01000000.00000004.sdmp, HkObDPju6Z.exe, 0000000A.00000000.22713856029.000000000084E000.00000002.00000001.01000000.00000004.sdmp, HkObDPju6Z.exe, 0000000A.00000002.22774896316.000000000084E000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: M~uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatedfdgmnfmfhdfgsndhfdMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe Queries volume information: C:\instructions_read_me.txt VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 10_2_0083C076
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: EnumSystemLocalesW, 10_2_0083C381
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: EnumSystemLocalesW, 10_2_0083C318
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: ResolveLocaleName,GetLocaleInfoEx, 10_2_007E8460
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 10_2_0083C4A7
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx, 10_2_007E84F0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: EnumSystemLocalesW, 10_2_0083C41C
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW, 10_2_0083C6FA
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW, 10_2_007E66E0
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_0083C823
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_0083C9F8
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW, 10_2_0083C929
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: EnumSystemLocalesW, 10_2_00832B14
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: EnumSystemLocalesW, 10_2_00832CA5
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: EnumSystemLocalesW, 10_2_00832C73
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW, 10_2_007F0EC9
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: LCIDToLocaleName,GetLocaleInfoEx, 10_2_007F114B
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW, 10_2_008335D2
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW, 10_2_02ADC284
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 10_2_02ADC353
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW, 10_2_02ADC055
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 10_2_02ADC17E
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007F3BB6 cpuid 10_2_007F3BB6
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_00833611 GetSystemTimeAsFileTime, 10_2_00833611
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_02AD8178 GetTimeZoneInformation, 10_2_02AD8178
Source: C:\Users\user\Desktop\HkObDPju6Z.exe Code function: 10_2_007E8650 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,CreateSolidBrush,CreateSolidBrush,CreateSolidBrush, 10_2_007E8650
AV process strings found (often used to terminate AV products)
Source: HkObDPju6Z.exe, 00000003.00000003.22699680641.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22688330089.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22701642269.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22691417722.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22714149600.00000000044B6000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22709498761.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22710230787.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22693481787.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22693632051.00000000044AA000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22673821964.00000000044A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\\Program Files\Windows Defender\MsMpEng.exe
Source: HkObDPju6Z.exe, 00000003.00000003.22658154530.00000000044AC000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22653448073.00000000044AC000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22647199873.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22652004226.0000000004497000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22656570562.00000000044A7000.00000004.00000020.00020000.00000000.sdmp, HkObDPju6Z.exe, 00000003.00000003.22655892664.00000000044A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 886219 Sample: HkObDPju6Z.exe Startdate: 12/06/2023 Architecture: WINDOWS Score: 88 48 Multi AV Scanner detection for submitted file 2->48 50 Found ransom note / readme 2->50 52 Yara detected BlackBasta ransomware 2->52 54 3 other signatures 2->54 7 HkObDPju6Z.exe 503 2->7         started        11 HkObDPju6Z.exe 2 2->11         started        13 HkObDPju6Z.exe 2 2->13         started        process3 file4 40 C:\instructions_read_me.txt, ASCII 7->40 dropped 42 C:\Users\instructions_read_me.txt, ASCII 7->42 dropped 44 C:\ProgramData\instructions_read_me.txt, ASCII 7->44 dropped 46 23 other files (7 malicious) 7->46 dropped 56 Writes a notice file (html or txt) to demand a ransom 7->56 58 Contains functionality to modify clipboard data 7->58 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 11->20         started        22 cmd.exe 1 13->22         started        signatures5 process6 signatures7 60 May disable shadow drive data (uses vssadmin) 15->60 62 Deletes shadow drive data (may be related to ransomware) 15->62 24 conhost.exe 15->24         started        26 vssadmin.exe 1 15->26         started        28 notepad.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 vssadmin.exe 1 20->34         started        36 conhost.exe 22->36         started        38 vssadmin.exe 1 22->38         started        process8
No contacted IP infos