Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17/11/2020, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
lkb99.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
lkb99.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
lkb99.exe
-
Size
552KB
-
MD5
b4d493ac4428abf9aed55dc444d2073f
-
SHA1
6948fd344891e36799a80d6828e42b09ca553b7a
-
SHA256
41c611528db77b92eb0e0602215e63e6c2d7efbf1a11f980c514eb31ce9266c3
-
SHA512
c4ab19333856e0c8f6a842c64967a9c1fc9ae3a24efc067b0cfe764ef4c8c97236a8afff64ebc983cade3e2775c93a3a35316bea9a6c9b1d4ecfa0acda224e75
Score
10/10
Malware Config
Extracted
Path
C:\odt\Restore-My-Files.txt
Family
lockbit
Ransom Note
All your important files are encrypted!
Any attempts to restore your files with the thrid-party software will be fatal for your files!
RESTORE YOU DATA POSIBLE ONLY BUYING private key from us.
There is only one way to get your files back:
1) Through a standard browser(FireFox, Chrome, Edge, Opera)
| 1. Open link http://lockbit-decryptor.top/?8841DD9B0AC925FFB6624974556F6F4D
| 2. Follow the instructions on this page
2) Through a Tor Browser - recommended
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFB6624974556F6F4D
This link only works in Tor Browser!
| 3. Follow the instructions on this page
### Attention! ###
# lockbit-decryptor.top may be blocked. We recommend using a Tor browser to access the site
# Do not rename encrypted files.
# Do not try to decrypt using third party software, it may cause permanent data loss.
# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).
# Tor Browser may be blocked in your country or corporate network. Use https://bridges.torproject.org or use Tor Browser over VPN.
# Tor Browser user manual https://tb-manual.torproject.org/about
URLs
http://lockbit-decryptor.top/?8841DD9B0AC925FFB6624974556F6F4D
http://lockbitks2tvnmwk.onion/?8841DD9B0AC925FFB6624974556F6F4D
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\lkb99.exe\"" lkb99.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lkb99.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini lkb99.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: lkb99.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe 948 lkb99.exe -
Drops file in Program Files directory 224 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\hr.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt lkb99.exe File opened for modification C:\Program Files\ConvertToUnblock.eprtx lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\db\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected] lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\db\bin\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\CIEXYZ.pf lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT lkb99.exe File created C:\Program Files\7-Zip\Lang\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt lkb99.exe File opened for modification C:\Program Files\ApproveClose.search-ms lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\db\lib\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo lkb99.exe File opened for modification C:\Program Files\DismountClose.xml lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\RELEASE-NOTES.html lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\include\win32\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt lkb99.exe File created C:\Program Files\Restore-My-Files.txt lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\jni_md.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm lkb99.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansRegular.ttf lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_HK.properties lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\LICENSE lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_it.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties lkb99.exe File created C:\Program Files\7-Zip\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt lkb99.exe File opened for modification C:\Program Files\GetImport.php lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\7z.sfx lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\readme.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\NOTICE lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\descript.ion lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\History.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightItalic.ttf lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\include\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\charsets.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar lkb99.exe File opened for modification C:\Program Files\EnterUpdate.wmx lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt lkb99.exe File opened for modification C:\Program Files\EnableExport.dxf lkb99.exe File opened for modification C:\Program Files\7-Zip\License.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif lkb99.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\Restore-My-Files.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbytools.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar lkb99.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt lkb99.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt lkb99.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1656 948 WerFault.exe 68 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 948 lkb99.exe 948 lkb99.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 948 lkb99.exe Token: SeDebugPrivilege 948 lkb99.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 948 wrote to memory of 3752 948 lkb99.exe 84 PID 948 wrote to memory of 3752 948 lkb99.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\lkb99.exe"C:\Users\Admin\AppData\Local\Temp\lkb99.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 14202⤵
- Program crash
PID:1656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵PID:3752
-