lockergoga | 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d

Analysis

max time kernel
152s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
01/02/2022, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Size

1.2MB
MD5

8801eb4b1617295998c6812022792787
SHA1

9006366f6da38ffbff3bd9b0fdc7516d1c412d98
SHA256

55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d
SHA512

d7cb7a95cbebcadbea9d733ce1ee7adb9e58f675efbe0ea63241d7977136a42fce92f4d189d3621085d8cb6e692d00e99b1e56586b9b2355cadf6f8c3b35ca4b

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	tgytutrc8724.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Half.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\settings.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\38.png	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\PREVIEW.GIF	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\3.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcor.dll.mui	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\oledbjvs.inc	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\init.js	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\weather.html	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\cpu.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.dll	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\WordpadFilter.dll	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_rest.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	tgytutrc8724.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG	tgytutrc8724.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\library.js	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js	tgytutrc8724.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif	tgytutrc8724.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
588	tgytutrc8724.exe
588	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
1140	tgytutrc8724.exe
1140	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe
1140	tgytutrc8724.exe
1140	tgytutrc8724.exe
1116	tgytutrc8724.exe
1116	tgytutrc8724.exe
1508	tgytutrc8724.exe
1508	tgytutrc8724.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1968	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Token: SeBackupPrivilege	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Token: SeRestorePrivilege	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Token: SeLockMemoryPrivilege	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Token: SeCreateGlobalPrivilege	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Token: SeDebugPrivilege	584	tgytutrc8724.exe
Token: SeBackupPrivilege	584	tgytutrc8724.exe
Token: SeRestorePrivilege	584	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	584	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	584	tgytutrc8724.exe
Token: SeDebugPrivilege	1508	tgytutrc8724.exe
Token: SeBackupPrivilege	1508	tgytutrc8724.exe
Token: SeRestorePrivilege	1508	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1508	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1508	tgytutrc8724.exe
Token: SeDebugPrivilege	1116	tgytutrc8724.exe
Token: SeBackupPrivilege	1116	tgytutrc8724.exe
Token: SeRestorePrivilege	1116	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1116	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1116	tgytutrc8724.exe
Token: SeDebugPrivilege	588	tgytutrc8724.exe
Token: SeBackupPrivilege	588	tgytutrc8724.exe
Token: SeRestorePrivilege	588	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	588	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	588	tgytutrc8724.exe
Token: SeDebugPrivilege	1140	tgytutrc8724.exe
Token: SeBackupPrivilege	1140	tgytutrc8724.exe
Token: SeRestorePrivilege	1140	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1140	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1140	tgytutrc8724.exe
Token: SeDebugPrivilege	288	tgytutrc8724.exe
Token: SeBackupPrivilege	288	tgytutrc8724.exe
Token: SeRestorePrivilege	288	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	288	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	288	tgytutrc8724.exe
Token: SeDebugPrivilege	1780	tgytutrc8724.exe
Token: SeBackupPrivilege	1780	tgytutrc8724.exe
Token: SeRestorePrivilege	1780	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1780	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1780	tgytutrc8724.exe
Token: SeDebugPrivilege	1384	tgytutrc8724.exe
Token: SeBackupPrivilege	1384	tgytutrc8724.exe
Token: SeRestorePrivilege	1384	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1384	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1384	tgytutrc8724.exe
Token: SeDebugPrivilege	1992	tgytutrc8724.exe
Token: SeBackupPrivilege	1992	tgytutrc8724.exe
Token: SeRestorePrivilege	1992	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1992	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1992	tgytutrc8724.exe
Token: SeDebugPrivilege	1996	tgytutrc8724.exe
Token: SeBackupPrivilege	1996	tgytutrc8724.exe
Token: SeRestorePrivilege	1996	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1996	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1996	tgytutrc8724.exe
Token: SeDebugPrivilege	1484	tgytutrc8724.exe
Token: SeBackupPrivilege	1484	tgytutrc8724.exe
Token: SeRestorePrivilege	1484	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	1484	tgytutrc8724.exe
Token: SeCreateGlobalPrivilege	1484	tgytutrc8724.exe
Token: SeDebugPrivilege	640	tgytutrc8724.exe
Token: SeBackupPrivilege	640	tgytutrc8724.exe
Token: SeRestorePrivilege	640	tgytutrc8724.exe
Token: SeLockMemoryPrivilege	640	tgytutrc8724.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1968	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	27
PID 756 wrote to memory of 1968	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	27
PID 756 wrote to memory of 1968	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	27
PID 756 wrote to memory of 1968	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	27
PID 756 wrote to memory of 584	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	29
PID 756 wrote to memory of 584	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	29
PID 756 wrote to memory of 584	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	29
PID 756 wrote to memory of 584	756	55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe	29
PID 584 wrote to memory of 476	584	tgytutrc8724.exe	30
PID 584 wrote to memory of 476	584	tgytutrc8724.exe	30
PID 584 wrote to memory of 476	584	tgytutrc8724.exe	30
PID 584 wrote to memory of 476	584	tgytutrc8724.exe	30
PID 584 wrote to memory of 552	584	tgytutrc8724.exe	31
PID 584 wrote to memory of 552	584	tgytutrc8724.exe	31
PID 584 wrote to memory of 552	584	tgytutrc8724.exe	31
PID 584 wrote to memory of 552	584	tgytutrc8724.exe	31
PID 584 wrote to memory of 1396	584	tgytutrc8724.exe	35
PID 584 wrote to memory of 1396	584	tgytutrc8724.exe	35
PID 584 wrote to memory of 1396	584	tgytutrc8724.exe	35
PID 584 wrote to memory of 1396	584	tgytutrc8724.exe	35
PID 584 wrote to memory of 608	584	tgytutrc8724.exe	33
PID 584 wrote to memory of 608	584	tgytutrc8724.exe	33
PID 584 wrote to memory of 608	584	tgytutrc8724.exe	33
PID 584 wrote to memory of 608	584	tgytutrc8724.exe	33
PID 584 wrote to memory of 1492	584	tgytutrc8724.exe	34
PID 584 wrote to memory of 1492	584	tgytutrc8724.exe	34
PID 584 wrote to memory of 1492	584	tgytutrc8724.exe	34
PID 584 wrote to memory of 1492	584	tgytutrc8724.exe	34
PID 584 wrote to memory of 636	584	tgytutrc8724.exe	40
PID 584 wrote to memory of 636	584	tgytutrc8724.exe	40
PID 584 wrote to memory of 636	584	tgytutrc8724.exe	40
PID 584 wrote to memory of 636	584	tgytutrc8724.exe	40
PID 636 wrote to memory of 2024	636	net.exe	42
PID 636 wrote to memory of 2024	636	net.exe	42
PID 636 wrote to memory of 2024	636	net.exe	42
PID 584 wrote to memory of 1844	584	tgytutrc8724.exe	44
PID 584 wrote to memory of 1844	584	tgytutrc8724.exe	44
PID 584 wrote to memory of 1844	584	tgytutrc8724.exe	44
PID 584 wrote to memory of 1844	584	tgytutrc8724.exe	44
PID 1844 wrote to memory of 1892	1844	net.exe	46
PID 1844 wrote to memory of 1892	1844	net.exe	46
PID 1844 wrote to memory of 1892	1844	net.exe	46
PID 584 wrote to memory of 588	584	tgytutrc8724.exe	47
PID 584 wrote to memory of 588	584	tgytutrc8724.exe	47
PID 584 wrote to memory of 588	584	tgytutrc8724.exe	47
PID 584 wrote to memory of 588	584	tgytutrc8724.exe	47
PID 584 wrote to memory of 1116	584	tgytutrc8724.exe	48
PID 584 wrote to memory of 1116	584	tgytutrc8724.exe	48
PID 584 wrote to memory of 1116	584	tgytutrc8724.exe	48
PID 584 wrote to memory of 1116	584	tgytutrc8724.exe	48
PID 584 wrote to memory of 1508	584	tgytutrc8724.exe	49
PID 584 wrote to memory of 1508	584	tgytutrc8724.exe	49
PID 584 wrote to memory of 1508	584	tgytutrc8724.exe	49
PID 584 wrote to memory of 1508	584	tgytutrc8724.exe	49
PID 584 wrote to memory of 1140	584	tgytutrc8724.exe	50
PID 584 wrote to memory of 1140	584	tgytutrc8724.exe	50
PID 584 wrote to memory of 1140	584	tgytutrc8724.exe	50
PID 584 wrote to memory of 1140	584	tgytutrc8724.exe	50
PID 584 wrote to memory of 288	584	tgytutrc8724.exe	51
PID 584 wrote to memory of 288	584	tgytutrc8724.exe	51
PID 584 wrote to memory of 288	584	tgytutrc8724.exe	51
PID 584 wrote to memory of 288	584	tgytutrc8724.exe	51
PID 584 wrote to memory of 1780	584	tgytutrc8724.exe	53
PID 584 wrote to memory of 1780	584	tgytutrc8724.exe	53

C:\Users\Admin\AppData\Local\Temp\55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
"C:\Users\Admin\AppData\Local\Temp\55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:476
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:552
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:608
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1492
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1396
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:2024
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:1892
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:996
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1120
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:576
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:908
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1084
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:832
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1392
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:912
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1120
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:688
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:800
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:992
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1300
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:608
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1180
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1156
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1472
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1876
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:1916
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8724.exe -i SM-tgytutrc -s
    3⤵
    PID:964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-54-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download