Malware Analysis Report

2024-10-19 10:39

Sample ID 221103-p9kbvscfek
Target 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6
SHA256 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6
Tags
xorist evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6

Threat Level: Known bad

The file 14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6 was found to be: Known bad.

Malicious Activity Summary

xorist evasion persistence ransomware spyware stealer trojan

Xorist Ransomware

Detected Xorist Ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Drops file in Drivers directory

Modifies extensions of user files

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Identifies Wine through registry keys

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-03 13:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-03 13:01

Reported

2022-11-03 13:04

Platform

win7-20220901-en

Max time kernel

105s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\SetSave.png => C:\Users\Admin\Pictures\SetSave.png.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\InstallShield\setupdir\001b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Automatic_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_neutral_b9280780a8000d4b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_blocks.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rdlsbuscbs.inf_amd64_neutral_351e56205fd4c200\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremiumE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Speech\Engines\SR\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\erofflps.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_modules.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\default.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_neutral_2ec26aaad7a9d419\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_objects.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_hash_tables.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_requires.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\winrm\0409\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\hu-HU\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_logical_operators.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_scripts.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_neutral_e853cea0022c059a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx007.inf_amd64_neutral_0b796ee4978458e2\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-activedirectory-webservices\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\pl-PL\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\sk-SK\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_prompts.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Speech\Engines\SR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_neutral_e078ec466987bb3b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Comparison_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_While.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_requires.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\IME\IMEJP10\APPLETS\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\manifeststore\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Comparison_Operators.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_aliases.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_pipelines.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_neutral_0684fdc43059f486\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj4.inf_amd64_neutral_c150a510c4b85ce7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\wbem\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmjf56e.inf_amd64_neutral_328dabbf0aeed9bc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasic\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_data_sections.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fkmnpacefhjkmopb.bmp" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mousedown.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15302_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Internet Explorer\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Defender\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\7.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01304G.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01770_.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR4F.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Media Player\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR1B.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\settings.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-s..-ux-sppcc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_335533b06a051789\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aff85da884c1c36e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..zards-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fa07334b836f9774\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_th-th_9b29344948cfe05f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_en-us_58f470aad14c25ff\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5dbcb85c07e1a7ea\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..ional-codepage-1251_31bf3856ad364e35_6.1.7600.16385_none_21809ded6be89410\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_db423f80885aae7d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..-spp-plugin-windows_31bf3856ad364e35_6.1.7601.17514_none_6fe02fb8134de429\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_uk-ua_3b0c3f843d784b5b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_netfx35linq-system.data.services_31bf3856ad364e35_6.1.7601.17514_none_4d80338bda6aae67\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\msil_microsoft.windows.d..otingpack.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2eff5ca16eb08c20\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_54caca9fc5890277\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9efe081149283749\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_02b4920e9d1320c3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-powercpl_31bf3856ad364e35_6.1.7601.17514_none_c006f86a8ad7ce0f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8f94aa63624b0ac8\erofflps.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_fr_b77a5c561934e089\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_6.1.7601.17514_none_244e76d61e1989e5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-devinst-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac77d5b138db374f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_cbcfb68d97390f4e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..entclient.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f91805a91d12afc2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehdebug_31bf3856ad364e35_6.1.7600.16385_none_8bd2a8c89bf31042\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_de-de_974c889fb6e5e1fd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..component.resources_31bf3856ad364e35_6.1.7601.17514_es-es_4a2131979606b12c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666a30609fbbc043\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ng-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6276aeeebcd702c3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..ectionsharingconfig_31bf3856ad364e35_6.1.7600.16385_none_167fe1ade2ab4f33\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_4adc36503d558868\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..inkwatson.resources_31bf3856ad364e35_6.1.7600.16385_it-it_83df74751d14c3c7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-streambufferengine_31bf3856ad364e35_6.1.7601.17514_none_9b0668f2fc6cec36\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_61883.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e90147c1d8688d8b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_ksfilter.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_05716bfe9bc460c8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b40b4fc097a11d8a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_data_sections.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ssmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0e35d57f14f38d05\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..-whitebox.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3a0c3775fc1e561c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-where.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fcd7cd8ec64e80f7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Architecture\img13.jpg C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\bPrev-hot.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\7.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16b2136334d4d376\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..coreinstrumentation_31bf3856ad364e35_6.1.7600.16385_none_5c5b3d3cf793517b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\msil_system.componentmod..notations.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6295dbbd95eed936\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_4c936d19ce8f71ba\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..grams-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0f430da51572132\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d62dd1b2f424ae49\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8295f8f49d4a45c7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sud.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac91535ed7d90e6d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_8.0.7600.16385_none_08570c83ebbf01dd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-r..rtmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2be3743539fe8bc7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\Media\Afternoon\Windows Exclamation.wav C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\Media\Savanna\Windows User Account Control.wav C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_2d4a27c7b8972454\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-e..e-ehdebug.resources_31bf3856ad364e35_6.1.7600.16385_en-us_76acdf46fe057416\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..favorites.resources_31bf3856ad364e35_8.0.7600.16385_it-it_3838a63f071c9c41\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..entclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_505bd2cc2e0db258\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-t..rk-ctfmon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_961b4830979f02f2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe

"C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"

Network

N/A

Files

memory/1368-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/1368-57-0x0000000003730000-0x0000000003AB5000-memory.dmp

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/900-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/1368-62-0x0000000003730000-0x0000000003AB5000-memory.dmp

memory/1368-63-0x0000000003730000-0x0000000003AB5000-memory.dmp

memory/1368-64-0x0000000003730000-0x0000000003AB5000-memory.dmp

memory/900-65-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/900-68-0x0000000076FA0000-0x0000000077120000-memory.dmp

memory/1368-69-0x0000000003730000-0x0000000003AB5000-memory.dmp

memory/900-70-0x0000000000400000-0x0000000000785000-memory.dmp

memory/900-71-0x0000000076FA0000-0x0000000077120000-memory.dmp

memory/900-72-0x0000000000400000-0x0000000000785000-memory.dmp

memory/900-73-0x0000000076FA0000-0x0000000077120000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-03 13:01

Reported

2022-11-03 13:04

Platform

win10v2004-20220812-en

Max time kernel

167s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\default.help.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\it\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\genericusbfn.inf_amd64_53931f0ae21d6d2c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\es\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnttp2.inf_amd64_8c1e04ee38482578\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0009\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_f9b71b1d9c8643e2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\lsi_sss.inf_amd64_503a2398f4c86893\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\amdi2c.inf_amd64_d7ae71f8eb52c084\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0015\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_LogResource\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_19eb30e94285f2a6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_f5594a2af66d11ab\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_0e44beb9cebe5a1e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_76ccb77f33c66c43\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_bb7c44c7bb3664d0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_1183fd0f13045f2e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationsixdof.inf_amd64_3ff016f4df6d2b8a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wfpcapture.inf_amd64_54cf91ab0e4c9ac2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\000b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_e485f7ac03009434\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\npsvctrig.inf_amd64_b98e9a5325075265\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_7cfab61cbab23e11\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_d9886a7bbe9e55ca\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mgtdyn.inf_amd64_a6235e923dc4047c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ts_wpdmtp.inf_amd64_e0577000b188c16b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\es-MX\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\International\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_monitor.inf_amd64_f02375bf47a4adb2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms012.inf_amd64_707d3849370b9d23\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wmbclass_wmc_union.inf_amd64_a02e4111c770770d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\Speech\Common\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\wbem\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0005\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_2176cc45624119a9\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthmtpenum.inf_amd64_3abc48e730d08fde\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcommu.inf_amd64_9d8718c8b82a0aeb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_6b639ff361f628eb\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwififlt.inf_amd64_c5e19aab2305f37f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Programmer.targetsize-32_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200_contrast-high.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_store.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-24.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-150.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\10.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionWideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-100.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageMedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.746_none_f297ff1a159e7f05\r\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.19041.1_en-us_5801e9f68bdc3d85\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\Images\WiFiNetworkManagerToast.scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-actionqueue.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fae0a0b9eaafe4be\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ompat-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_ab858487faf33768\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hotspotauth-adm_31bf3856ad364e35_10.0.19041.1_none_ea54f59ce460e3b7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mobilepc-sensors-api_31bf3856ad364e35_10.0.19041.746_none_e06926606d9d22f9\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_10.0.19041.1_en-us_6abbcc8b8fcc07e3\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-peertopeerbase_31bf3856ad364e35_10.0.19041.1_none_21c94890c5647051\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\INF\ServiceModelService 3.0.0.0\0410\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_cdrom.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_eeabdb05f6ee48e5\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-bth-cpl_31bf3856ad364e35_10.0.19041.1_none_0d0ae394ff68d5f5\@BthpropsNotificationLogo.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-1.htm C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-netbt_31bf3856ad364e35_10.0.19041.572_none_3e399e76562f6053\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hgattest-wmi.resources_31bf3856ad364e35_10.0.19041.1_es-es_c60bea0e87a424f7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..ners-dynamic-device_31bf3856ad364e35_10.0.19041.1_none_b4a7fb8b678481c6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-imapiv2-base_31bf3856ad364e35_10.0.19041.746_none_a103bab27170fd31\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1023_tr-tr_65cac6c981f17921\r\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401-1.htm C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.19041.264_none_d1ce115a6e50bd32\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-aadauthhelper_31bf3856ad364e35_10.0.19041.1266_none_2cd716ad69707c0a\r\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-setx.resources_31bf3856ad364e35_10.0.19041.1_es-es_773802e77757f149\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\Assets\Ninja\CategorySticker.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa973ceb0cae15b6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wmiv2-mi-dll_31bf3856ad364e35_10.0.19041.546_none_683a88876ebd7c0a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_c_camera.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_23bf43948c55c007\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-tiledatarepository_31bf3856ad364e35_10.0.19041.264_none_ac56521bfe3760e4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_en-us_9b69330b34021c65\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_58b032a3f5a9d787\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..estartup-change-pin_31bf3856ad364e35_10.0.19041.1237_none_665f7346099d6350\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..up-prompt.resources_31bf3856ad364e35_10.0.19041.1_de-de_68faace6a65a6796\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ng-legacy.resources_31bf3856ad364e35_11.0.19041.1_de-de_2d07e35addcec99e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..-schedule.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_50449f7d58a9ce42\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-r..-detector.resources_31bf3856ad364e35_10.0.19041.1_it-it_b2bccccd75b09d71\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-microsoft.vsa_b03f5f7f11d50a3a_10.0.19041.1_none_a25be6f87f8e8c7d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_a6e41dbf6c2a9394\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..tion_service_iasnap_31bf3856ad364e35_10.0.19041.746_none_57740b56b3f3bdad\r\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-r..tymanager.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8d767e5cae4ff082\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..cationcompatibility_31bf3856ad364e35_10.0.19041.1_none_241b3b307ddfb152\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\debugger.html C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_487e089a81330048\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.targetsize-64_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..lers-siuf.resources_31bf3856ad364e35_10.0.19041.1_es-es_26d9d1c9b7ee55fc\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_10.0.19041.1_en-us_9282db59dc3419f7\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\aspnet_compiler.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-l..wslconfig.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_cd375cf6e95c10aa\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_10.0.19041.1_it-it_be3d62eb83507440\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sechealthui.appxmain_31bf3856ad364e35_10.0.19041.153_none_90dc0b923cd83016\Square71x71Logo.contrast-white_scale-150.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ccess-userdatautils_31bf3856ad364e35_10.0.19041.1_none_94e6dd42406ad3a9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-nlslexicons0009_b03f5f7f11d50a3a_4.0.15805.0_none_a3ae349d43a0e1f0\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_dual_spaceport.inf_31bf3856ad364e35_10.0.19041.1_none_a5aee3d9428e55fa\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-bookend-cortanaout.gif C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.928_none_0f531ea0d233243b\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-onecore-winrt-storage_31bf3856ad364e35_10.0.19041.1266_none_58f5a5acd2795abf\f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..up-notify.resources_31bf3856ad364e35_10.0.19041.1_en-us_e98c1b2c31078c32\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-usbperf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_322e74f6b3012f36\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.1_none_b1e502c19c2a358b\Wide310x150Logo.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anonymous\ = "CDOAEETJFTHWUGN" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe,0" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\533OqvBH346eRq3.exe" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\DefaultIcon C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CDOAEETJFTHWUGN\shell\open C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe

"C:\Users\Admin\AppData\Local\Temp\14cdb3735feec79d1bfbbcca899bc209b20e97283e7e600ff930b0019abeaef6.exe"

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

"C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 13.107.21.200:443 tcp
NL 104.80.225.205:443 tcp

Files

memory/5112-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

C:\Users\Admin\AppData\Local\Temp\You Are Hacked.exe

MD5 93412c40272361e258e4dc0de74f7075
SHA1 c13b3cf156b76980c4eab4fae183758c4700440d
SHA256 7e5992568dc614491fbc17c3efbac79f8eb3e8b9cab73a6c877bdc61342cdd6e
SHA512 00c58f5c21ba59db1442e6761c60fdeeb756223b4d51f81cfb2b82aee415eb71a883d5d24086e6ad32c06f87d97d79f1123f20471350492597649eaa3e8d9067

memory/5112-135-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5112-136-0x00000000772E0000-0x0000000077483000-memory.dmp

memory/5112-137-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5112-138-0x00000000772E0000-0x0000000077483000-memory.dmp