Malware Analysis Report

2024-10-19 10:39

Sample ID 221103-p9fzfaadg3
Target 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e
SHA256 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e
Tags
xorist evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e

Threat Level: Known bad

The file 7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e was found to be: Known bad.

Malicious Activity Summary

xorist evasion persistence ransomware spyware stealer trojan

Detected Xorist Ransomware

Xorist Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Drops file in Drivers directory

Modifies extensions of user files

Drops startup file

Loads dropped DLL

Identifies Wine through registry keys

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-03 13:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-03 13:01

Reported

2022-11-03 13:04

Platform

win7-20220901-en

Max time kernel

129s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SelectRead.png => C:\Users\Admin\Pictures\SelectRead.png.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\mdmtexas.inf_amd64_neutral_7572473d88d69307\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\LogFiles\AIT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiaca00e.inf_amd64_neutral_5a376e6a7cb007d5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\zh-TW\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hpoa1ss.inf_amd64_neutral_8cae09a2238d64e0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\IME\imekr8\applets\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\slmgr\0411\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Break.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Throw.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_do.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\catroot2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomeBasicN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\termkbd.inf_amd64_neutral_e561157e16aa2357\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\digitalmediadevice.inf_amd64_neutral_6fd673519d66ab20\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\StarterN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmcom.inf_amd64_neutral_716a306ec3899e04\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_neutral_c3910bbf4fbccf97\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_profiles.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Enterprise\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_do.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx008.inf_amd64_neutral_75545721835fd863\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_do.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl004.inf_amd64_neutral_1874f16002601f78\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\megasr.inf_amd64_neutral_30b367f92ca46598\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hmnadhmbfkpeincg.bmp" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_up.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Defender\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34B.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\31.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..chxreadingstringime_31bf3856ad364e35_6.1.7600.16385_none_0f8ba5ee52454454\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6c99918b70a0dfca\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_netfx35linq-system.web.entity_31bf3856ad364e35_6.1.7601.17514_none_9354893ea98f539e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_prnxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_17d11ca62802f41b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\modern_settings.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..i-asyncui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e97be7029257dedc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.18010_none_86608c5a70f925bc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-secinit_31bf3856ad364e35_6.1.7600.16385_none_e3ace21ee6af3fb6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7d1934d0258df2c9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_0194025d4203e7d0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_prnca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_deda1dd628caac71\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\msil_srpuxsnapin.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_2a06ef8775bc24df\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_netfx-ado_net_diag_b03f5f7f11d50a3a_6.1.7600.16385_none_41e26933a436d37d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\1.0.0.0_it_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_prnlx005.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d301437819241fc2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_netfx35linq-system.web.entity.design_31bf3856ad364e35_6.1.7601.17514_none_9b02b0c871489614\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp4.jpg C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000411_31bf3856ad364e35_6.1.7600.16385_none_4d8ba97cb2499bcd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_netfx-mscorsvc__dll_b03f5f7f11d50a3a_6.1.7601.17514_none_2f4c7f14c0acdcc3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..-tlntsess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e75bb32b3b137fb4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v3.5\1031\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-fus.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf4af7304aacbbae\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_875f491fa4760076\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-taskkill.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fec089582ae52264\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-xpsifilter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d0cfec0652782fb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-b..xthandler.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_107af607b8436e94\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sethc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_573476d3c931e4ee\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.EnterpriseServices.resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-security-spp-ux-data_31bf3856ad364e35_6.1.7601.17514_none_61e7a64867b553a6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_924a71ae0e077dae\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..stion-detector-core_31bf3856ad364e35_6.1.7600.16385_none_54dd4ad229c92897\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-msls31_31bf3856ad364e35_11.2.9600.16428_none_ae56e6c4b781ef91\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-c..gement-perfcounters_31bf3856ad364e35_6.1.7600.16385_none_814c249ec2a32783\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Ref.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Print complete.wav C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_lsi_scsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_246d4081ec3276cc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..timezones.resources_31bf3856ad364e35_6.1.7601.17514_it-it_6e4620a36290fd66\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Windows Logon Sound.wav C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Windows Ding.wav C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f1d1bd913694f1d0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_rndiscmp.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc6791b6f3c7fd13\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-class_ss_31bf3856ad364e35_6.1.7600.16385_none_17723c290c0f2178\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..atahelper.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_259b9bb0f00b1308\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..-mcplayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1268989a682b8fa1\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-w..registrar.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b1e5a8ec846054b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_pssessions.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_082f99a432e2a661\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\inf\ASP.NET_4.0.30319\0019\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..ork-msutb.resources_31bf3856ad364e35_6.1.7600.16385_es-es_41b68dd3b0f81962\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d1240af48795ef12\currency.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_it-it_75597592789f1a85\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_da-dk_4099a4adfbeefa1e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_tape.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ada822601850b6f6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_amdsbs.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_267caec07f213aec\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ebargadgetresources_31bf3856ad364e35_6.1.7600.16385_none_88767a95b8bbf001\Gadget_Star_Empty.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..madvanced.resources_31bf3856ad364e35_6.1.7600.16385_de-de_62497c70b6d3816f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\msil_system.core.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_c240b1366b990e94\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_infocard.resources_b77a5c561934e089_6.1.7600.16385_fr-fr_49d88c0d5cf1bf75\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-u..anagement.resources_31bf3856ad364e35_6.1.7600.16385_es-es_610344214443bd26\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wlan-dialog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_deb8ae3579e8c0be\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw48.bmp C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe

"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"

Network

N/A

Files

memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/1408-60-0x0000000000000000-mapping.dmp

memory/1292-59-0x0000000003920000-0x0000000003CA5000-memory.dmp

memory/1292-61-0x0000000003920000-0x0000000003CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/1408-63-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/1408-66-0x0000000077B70000-0x0000000077CF0000-memory.dmp

memory/1408-67-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1408-68-0x0000000077B70000-0x0000000077CF0000-memory.dmp

memory/1408-69-0x0000000000400000-0x0000000000785000-memory.dmp

memory/1408-70-0x0000000077B70000-0x0000000077CF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-03 13:01

Reported

2022-11-03 13:04

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\EditHide.png => C:\Users\Admin\Pictures\EditHide.png.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\slmgr\040C\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\es\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ProcessSet\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fscontentscreener.inf_amd64_bd1517e25f3e419f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_mediumchanger.inf_amd64_69ea0d8614286224\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidinterrupt.inf_amd64_eeb986311b3a5b16\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms008.inf_amd64_69b5e0c918eab9a6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Provisioning\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_55c0c78952233d0c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmts.inf_amd64_bc07e137c52c529a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\ja\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\fr\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Com\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\de\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\adp80xx.inf_amd64_efb36fdc260e8bc8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidi2c.inf_amd64_aad0f43cb9f97e75\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_d37080dfb66d830b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\xinputhid.inf_amd64_b01c6ccf7f1e23b6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\athw8x.inf_amd64_55014eff4ceefbdf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_wpd.inf_amd64_0245a364d71cf6b5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_aa2738d63955f632\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\oposdrv.inf_amd64_9090a824ce0d0e68\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfcvsc.inf_amd64_dfe08f401a2eedbc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_dot4.inf_amd64_55905bb33692cd84\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_7f60bc7ff484a292\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcdp.inf_amd64_919b7beec2c70482\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\lv-LV\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\MUI\040C\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\en-GB\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\000e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_camera.inf_amd64_7b52a9607d24ece6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_1ae6ea0bf54c0f5c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\DriverStore\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationsixdof.inf_amd64_3ff016f4df6d2b8a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\default.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidvhf.inf_amd64_0a924aec7600dcde\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\acxhdaudiop.inf_amd64_78faaf2062860ce8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl008.inf_amd64_c0d977e565fdc839\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmomrn3.inf_amd64_c2314613ba3f3585\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net819xp.inf_amd64_ff7a5dd4f9b1ceba\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d1.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W2.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\LockScreenLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderMedTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\logo.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\RemoveStroke_Illustration.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_PigNose.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\DeleteToastQuickAction.scale-80.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Common Files\System\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-36.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\sat_logo.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\http_gen.htm C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_dual_wvmbusr.inf_31bf3856ad364e35_10.0.19041.1110_none_67be20cfb52b3549\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\diagnostics\system\IEBrowseWeb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\v4.0_10.0.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\rescache\_merged\899128513\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\images\CustomMark5_18x.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\eventBreakpoint.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\SrpUxSnapIn\d2b1ef680213b74225d25f626d5cd58f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\SquareLogo150x150.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Generic.Theme-Light_Scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-button-template.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..rvice-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_c23ca21f79c825d6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-clipboard-userservice_31bf3856ad364e35_10.0.19041.264_none_cd87c4ffc92d7585\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\YourPhoneCallingToast.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_acpipagr.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_81b8aecf4718f262\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.1202_none_024525bdc81df50d\n\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_9ac3a4c37bcb89fa\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-a..sourcepolicy-client_31bf3856ad364e35_10.0.19041.546_none_d8c4f6ebff715d2e\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.928_none_b96c565fe61a4dfa\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..arydialog.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_be8a1cf90a92f9f9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..dlinetool.resources_31bf3856ad364e35_10.0.19041.1_en-us_38200a3bee0c73a9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\servbusy.htm C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-30_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_dual_mdmsun1.inf_31bf3856ad364e35_10.0.19041.1_none_1dac43ea38cae288\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bootux.resources_31bf3856ad364e35_10.0.19041.1_de-de_f820df65ea53fa16\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..urces-applicability_31bf3856ad364e35_10.0.19041.508_none_12b3ef92407c0090\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-96_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_dual_mgtdyn.inf_31bf3856ad364e35_10.0.19041.1_none_9c89da6de9617e34\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_c_fsopenfilebackup.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_2a727c323385f246\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_dual_tsgenericusbdriver.inf_31bf3856ad364e35_10.0.19041.1151_none_5977f756866b1632\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..questtool.resources_31bf3856ad364e35_10.0.19041.1_es-es_69d08230123db221\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.resources\v4.0_4.0.0.0_es_b77a5c561934e089\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\PLA\Rules\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_el-gr_6c7fbc7e2aa0f999\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Loading.htm C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare150x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-u..itefilter.resources_31bf3856ad364e35_10.0.19041.1_de-de_4e830a28c47450c8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-appx-sysprep_31bf3856ad364e35_10.0.19041.1_none_2d794a3294663cdf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b8beab5254469786\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-networksw..anagement.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42079885389f82b8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_10.0.19041.84_none_39adc1f1f0aabb14\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.1_none_edda8130b19d4286\Splashscreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-bind-filter_31bf3856ad364e35_10.0.19041.1288_none_4bc29d3189d6f141\n\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..deronline.resources_31bf3856ad364e35_10.0.19041.1_en-us_aaca3f9205cfd13a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0\10.0.0.0__b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\StoreLogo.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_ialpss2i_i2c_glk.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ccf05baa976b8bd5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-acproxy.resources_31bf3856ad364e35_10.0.19041.1_de-de_8482da5b9c4db3dd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_e4965057c6f5fbfc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-cloudexperiencehostapi_31bf3856ad364e35_10.0.19041.1266_none_638738a7fd1a2b2e\r\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing\v4.0_4.0.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting.resources\v4.0_4.0.0.0_de_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\PrintDialog\Assets\splashscreen.contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_acpidev.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_a0e1ecae2037623d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..nt-uevwow.resources_31bf3856ad364e35_10.0.19041.1_en-us_f1d4cc964040ed40\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe

"C:\Users\Admin\AppData\Local\Temp\7d3075d8426c817154b05b695d6196e5ea977a67d0132cf552851f237c166f5e.exe"

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"

Network

Country Destination Domain Proto
US 204.79.197.200:443 tcp
NL 104.80.225.205:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 204.79.197.200:443 tcp

Files

memory/2964-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/2964-135-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2964-136-0x0000000076FF0000-0x0000000077193000-memory.dmp

memory/2964-137-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2964-138-0x0000000076FF0000-0x0000000077193000-memory.dmp