Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
64s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18/02/2021, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe
-
Size
66KB
-
MD5
c9a3f59644226858255588cd5d3c6d56
-
SHA1
be1e18396b118b13cc2128ab7efbe11833dc4d53
-
SHA256
190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a
-
SHA512
ba450f886ee9f24eed23298b8749dfa64ee4a48d70c89dcbaa3d10b6d3a9cd7bfdff377aae5f1a13ff9383e137be61eae6814c856df4325d108a2339a4683699
Score
10/10
Malware Config
Extracted
Path
C:\$Recycle.Bin\HOW_TO_RECOVERY_FILES.txt
Family
balaclava
Ransom Note
Hello!
If you see this message - this means your files are now encrypted and are in a non-working state!
Now only we can help you recover.
If you are ready to restore the work - send us an email to the address
[email protected]
In the letter, specify your personal identifier, which you will see below.
In the reply letter we will inform you the cost of decrypting your files.
Before payment you can send us 1 files for test decryption.
We will decrypt the files you requested and send you back.
This ensures that we own the key to recover your data.
The total file size should be no more than 2 MB,
the files should not contain valuable information (databases, backups, large Excel spreadsheets ...).
Email to contact us - [email protected]
YOUR PERSONAL ID :
2B97C0EC94560515F4286634C03FC6FDBA454A8804B615D46C85EDFA4708E124
8F2779E021590BEB23E17290C1F7F6AFEFBE625C33D6F74222A8A8C3C37FED16
B6FA0E0F1642C2EC471CE1410C03808B33E5494D8AB504E737826F2F7A47B18D
8E6B81FD5294302500DE5FEE21B6F4CDD65354B6979047F81254A47DE50194A3
D7997CBD5D932C29EA2BC1FEB46FC4C804F3FC5A77021319967B7D137BE996A1
110A9A43562EF7BFDFD2407E4100E68D01372A59ED9ECF9FF94E6009D817894C
F6C09A0E40C6878664C7BC4801DD6DE76EB89FA90CD91CCEE7B7525F8E092FB4
47873D10545DC91D20FDB961AF9A109738CF69A7686A37852A28427F641543ED
DE83AA7A0C0B9CBA5E4AE54F2212926EFD93E688146B2B11B6BD5E11F70BB144
93A6895D57C10590B0BF1D6A3B1DEDB797CB7F49CCB63E8F0C3C9C77CD643723
A5F21F0CD3E8685E0A26B89741686DB813B278B08D82391035C6A0BBB77613FC
D641200EF5E39CF0EF5CA9EAA563D563B219A03DA6FF4579AEA3DEDB073329DE
DE446C6C4D213E5BA0F74906E151D743639B764E1F49E3D0A7A20EE722FC27C2
EE5E7DC8F3A5171469395272F7A1735DEB5ED9C772E30F282ACD7F1B8BD1D34F
D5C065E0D9C6B470217F43D988946738F3087D4910A74C2AC03A7295620A00EA
19946CC743EB5DCE5CC0009B00B486F862F0687BBC19AB145E933F7C3E8D826A
CEB81FF1F9AB10AFEFA7393376B6618E9D46E2B7D6A54E7DBDDB788F8D4448DE
A80522BC10324364DC9730D322C551E2A94516AB225E2AF626938CFD8400914D
CAB0166C8A75A95B185233F26E9F15E3A7B456EEEB9BF263B057D4BD255CEEE2
C841D5EDB472A160988ED333234B33F08E763553851F5CF0DDDA25F1EBC6DF54
C617FC5D97ED2710EC038C32DA0E8CC06F4626955254790F00C3ED75D5AE22C4
026A439955467F4DD83B610AF0845FA6989C47340FEF53CA39055C8E6D588460
9FBB6A0C59BBA30562324CEBE1103A553F470C97961C02DA202057DD49B25E1E
CF176701C9488828D156F0170A7DE6DE6031ED1E0C5E4759B9A83396AD579EB1
E2962EC09C0A267B7EF6C9F86A6A0B5B0542B9F1B67B3C7891BA1C177DF77F73
0FFF2A52EAB5C101BD
Emails
Signatures
-
Balaclava Malware
Balaclava malware is a ransomware program.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3368 created 652 3368 WerFault.exe 67 -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\FindAssert.tiff 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Pictures\MergeRequest.tiff 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe -
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Documents\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Music\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Links\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Videos\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Music\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\1d.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\so_16x11.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-200.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x_2x.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\id_16x11.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-32_altform-unplated.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\HOW_TO_RECOVERY_FILES.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\coffee.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\az_16x11.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7336_24x24x32.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_altform-unplated_contrast-white.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\evilgrin.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96_altform-unplated.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line.cur 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\HOW_TO_RECOVERY_FILES.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargeKlondikeTile.jpg 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeLargeTile.scale-200_contrast-white.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-fullcolor.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IGX.DLL 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_40x40x32.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Hold.m4a 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-96.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-16.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\selector.js 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-125.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\HOW_TO_RECOVERY_FILES.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_background.jpg 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10191_48x48x32.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\HOW_TO_RECOVERY_FILES.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_MouseNose.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\HOW_TO_RECOVERY_FILES.txt 190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3368 652 WerFault.exe 67 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe 3368 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3368 WerFault.exe Token: SeBackupPrivilege 3368 WerFault.exe Token: SeDebugPrivilege 3368 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe"C:\Users\Admin\AppData\Local\Temp\190a621ed9d5471e03fbc7144f04b3ed0d94b5be2ab0c4bc1df345120986d19a.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
PID:652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 10122⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368
-