xorist | 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e

Analysis

max time kernel
152s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 13:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
Size

3.1MB
MD5

fcd1290482187d266d174f924c4b1e46
SHA1

c3f71f34c7bffd0cc0d49af56254d7f34d50b0c2
SHA256

7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e
SHA512

de3b60739be065ee2620f407b1e51c40be007f1dddcf198b9d676973fcc0007178635534009de2649c7908736e2be3efaaea15b955651a7ca7a5c1f2ad6c9df8
SSDEEP

98304:dGZtUz0g6yFFHnDZs5998H5PBSh4+gNxiP:UPUQgXFFVs5X8q4+O4

Score

10^/10

xorist evasion persistence ransomware spyware stealer

Malware Config

Signatures

Detected Xorist Ransomware 1 IoCs

resource	yara_rule
behavioral2/memory/2964-137-0x0000000000400000-0x0000000000785000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	You Are Hacked.exe

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt	You Are Hacked.exe

Executes dropped EXE 1 IoCs

pid	Process
2964	You Are Hacked.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EditHide.png => C:\Users\Admin\Pictures\EditHide.png.anonymous	You Are Hacked.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt	You Are Hacked.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine	You Are Hacked.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	You Are Hacked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe"	You Are Hacked.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\slmgr\040C\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\es\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\IME\SHARED\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ProcessSet\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_fscontentscreener.inf_amd64_bd1517e25f3e419f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_mediumchanger.inf_amd64_69ea0d8614286224\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidinterrupt.inf_amd64_eeb986311b3a5b16\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\es-ES\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_55c0c78952233d0c\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\de-DE\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmts.inf_amd64_bc07e137c52c529a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\ja\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\Com\fr-FR\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\de\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\adp80xx.inf_amd64_efb36fdc260e8bc8\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidi2c.inf_amd64_aad0f43cb9f97e75\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_d37080dfb66d830b\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\xinputhid.inf_amd64_b01c6ccf7f1e23b6\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\XPSViewer\es-ES\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_wpd.inf_amd64_0245a364d71cf6b5\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_aa2738d63955f632\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oposdrv.inf_amd64_9090a824ce0d0e68\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wfcvsc.inf_amd64_dfe08f401a2eedbc\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_dot4.inf_amd64_55905bb33692cd84\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_7f60bc7ff484a292\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_919b7beec2c70482\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\lv-LV\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\MUI\040C\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\InstallShield\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\en-GB\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\000e\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_camera.inf_amd64_7b52a9607d24ece6\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_1ae6ea0bf54c0f5c\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\DriverStore\fr-FR\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\fr-FR\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationsixdof.inf_amd64_3ff016f4df6d2b8a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidvhf.inf_amd64_0a924aec7600dcde\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\acxhdaudiop.inf_amd64_78faaf2062860ce8\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmgl008.inf_amd64_c0d977e565fdc839\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmomrn3.inf_amd64_c2314613ba3f3585\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\HOW TO DECRYPT FILES.txt	You Are Hacked.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2964	You Are Hacked.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-100.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-200.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png	You Are Hacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-100.png	You Are Hacked.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d1.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W2.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\LockScreenLogo.scale-200.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-100.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-125.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-40_altform-unplated.png	You Are Hacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-black.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-24_contrast-white.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\RemoveStroke_Illustration.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigNose.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-unplated.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\DeleteToastQuickAction.scale-80.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.png	You Are Hacked.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	You Are Hacked.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48.png	You Are Hacked.exe
File created	C:\Program Files (x86)\Common Files\System\ja-JP\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40_altform-unplated.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24_altform-unplated.png	You Are Hacked.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png	You Are Hacked.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png	You Are Hacked.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\HOW TO DECRYPT FILES.txt	You Are Hacked.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\http_gen.htm	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_dual_wvmbusr.inf_31bf3856ad364e35_10.0.19041.1110_none_67be20cfb52b3549\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\diagnostics\system\IEBrowseWeb\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\rescache\_merged\899128513\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\CustomMark5_18x.png	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\eventBreakpoint.png	You Are Hacked.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SrpUxSnapIn\d2b1ef680213b74225d25f626d5cd58f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\SquareLogo150x150.scale-100.png	You Are Hacked.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Light_Scale-125.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-button-template.html	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..rvice-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_c23ca21f79c825d6\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-clipboard-userservice_31bf3856ad364e35_10.0.19041.264_none_cd87c4ffc92d7585\f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-400_contrast-black.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_acpipagr.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_81b8aecf4718f262\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.1202_none_024525bdc81df50d\n\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9ac3a4c37bcb89fa\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-a..sourcepolicy-client_31bf3856ad364e35_10.0.19041.546_none_d8c4f6ebff715d2e\f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.928_none_b96c565fe61a4dfa\f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..arydialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_be8a1cf90a92f9f9\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..dlinetool.resources_31bf3856ad364e35_10.0.19041.1_en-us_38200a3bee0c73a9\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\servbusy.htm	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-30_altform-unplated_contrast-black.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_dual_mdmsun1.inf_31bf3856ad364e35_10.0.19041.1_none_1dac43ea38cae288\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bootux.resources_31bf3856ad364e35_10.0.19041.1_de-de_f820df65ea53fa16\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..urces-applicability_31bf3856ad364e35_10.0.19041.508_none_12b3ef92407c0090\f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-96_altform-lightunplated.png	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_altform-unplated.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_dual_mgtdyn.inf_31bf3856ad364e35_10.0.19041.1_none_9c89da6de9617e34\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_c_fsopenfilebackup.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_2a727c323385f246\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_dual_tsgenericusbdriver.inf_31bf3856ad364e35_10.0.19041.1151_none_5977f756866b1632\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..questtool.resources_31bf3856ad364e35_10.0.19041.1_es-es_69d08230123db221\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.resources\v4.0_4.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\PLA\Rules\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_el-gr_6c7fbc7e2aa0f999\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Loading.htm	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-100.png	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-125_contrast-black.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-u..itefilter.resources_31bf3856ad364e35_10.0.19041.1_de-de_4e830a28c47450c8\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appx-sysprep_31bf3856ad364e35_10.0.19041.1_none_2d794a3294663cdf\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b8beab5254469786\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-networksw..anagement.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42079885389f82b8\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_10.0.19041.84_none_39adc1f1f0aabb14\f\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_edda8130b19d4286\Splashscreen.scale-100.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bind-filter_31bf3856ad364e35_10.0.19041.1288_none_4bc29d3189d6f141\n\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..deronline.resources_31bf3856ad364e35_10.0.19041.1_en-us_aaca3f9205cfd13a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\StoreLogo.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_ialpss2i_i2c_glk.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ccf05baa976b8bd5\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-acproxy.resources_31bf3856ad364e35_10.0.19041.1_de-de_8482da5b9c4db3dd\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_e4965057c6f5fbfc\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cloudexperiencehostapi_31bf3856ad364e35_10.0.19041.1266_none_638738a7fd1a2b2e\r\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File opened for modification	C:\Windows\PrintDialog\Assets\splashscreen.contrast-white.png	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_acpidev.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_a0e1ecae2037623d\HOW TO DECRYPT FILES.txt	You Are Hacked.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nt-uevwow.resources_31bf3856ad364e35_10.0.19041.1_en-us_f1d4cc964040ed40\HOW TO DECRYPT FILES.txt	You Are Hacked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN"	You Are Hacked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0"	You Are Hacked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell	You Are Hacked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous	You Are Hacked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN	You Are Hacked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!"	You Are Hacked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon	You Are Hacked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command	You Are Hacked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open	You Are Hacked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe"	You Are Hacked.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	You Are Hacked.exe
2964	You Are Hacked.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 2964	4452	7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe	81
PID 4452 wrote to memory of 2964	4452	7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe	81
PID 4452 wrote to memory of 2964	4452	7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe	81

C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe
"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe
  "C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

Filesize
2.5MB

MD5
93412c40272361e258e4dc0de74f7075

SHA1
c13b3cf156b76980c4eab4fae183758c4700440d

SHA256
7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

SHA512
00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

Download Submit
C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

Filesize
2.5MB

MD5
93412c40272361e258e4dc0de74f7075

SHA1
c13b3cf156b76980c4eab4fae183758c4700440d

SHA256
7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e

SHA512
00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

Download Submit
memory/2964-135-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2964-136-0x0000000076FF0000-0x0000000077193000-memory.dmp

Filesize
1.6MB

Download
memory/2964-137-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2964-138-0x0000000076FF0000-0x0000000077193000-memory.dmp

Filesize
1.6MB

Download