Analysis
-
max time kernel
169s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01/02/2022, 13:43
Static task
static1
Behavioral task
behavioral1
Sample
55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe
-
Size
1.2MB
-
MD5
8801eb4b1617295998c6812022792787
-
SHA1
9006366f6da38ffbff3bd9b0fdc7516d1c412d98
-
SHA256
55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d
-
SHA512
d7cb7a95cbebcadbea9d733ce1ee7adb9e58f675efbe0ea63241d7977136a42fce92f4d189d3621085d8cb6e692d00e99b1e56586b9b2355cadf6f8c3b35ca4b
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Desktop\README_LOCKED.txt
Ransom Note
Greetings!
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.
To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security
To get information on the price of the decoder contact us at:
[email protected]
[email protected]
Extracted
Path
C:\Users\Public\Desktop\README_LOCKED.txt
Ransom Note
Greetings!
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.
To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security
To get information on the price of the decoder contact us at:
Signatures
-
LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.bfc tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui tgytutrc5398.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-pl.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightRegular.ttf tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi tgytutrc5398.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml tgytutrc5398.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\libGLESv2.dll tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\icudtl.dat tgytutrc5398.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Internet Explorer\sqmapi.dll tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.clusters tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ppd.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll tgytutrc5398.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML tgytutrc5398.exe File opened for modification C:\Program Files\LockClear.tiff tgytutrc5398.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc tgytutrc5398.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Facet.thmx tgytutrc5398.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms tgytutrc5398.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar tgytutrc5398.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe tgytutrc5398.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1144 tgytutrc5398.exe 1144 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1420 tgytutrc5398.exe 1420 tgytutrc5398.exe 1144 tgytutrc5398.exe 1144 tgytutrc5398.exe 1436 tgytutrc5398.exe 1436 tgytutrc5398.exe 1144 tgytutrc5398.exe 1144 tgytutrc5398.exe 208 tgytutrc5398.exe 208 tgytutrc5398.exe 1144 tgytutrc5398.exe 1144 tgytutrc5398.exe 208 tgytutrc5398.exe 208 tgytutrc5398.exe 1832 tgytutrc5398.exe 1832 tgytutrc5398.exe 1144 tgytutrc5398.exe 1144 tgytutrc5398.exe 1832 tgytutrc5398.exe 1832 tgytutrc5398.exe 1144 tgytutrc5398.exe 1144 tgytutrc5398.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2636 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe Token: SeBackupPrivilege 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe Token: SeRestorePrivilege 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe Token: SeLockMemoryPrivilege 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe Token: SeCreateGlobalPrivilege 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe Token: SeDebugPrivilege 4304 tgytutrc5398.exe Token: SeBackupPrivilege 4304 tgytutrc5398.exe Token: SeRestorePrivilege 4304 tgytutrc5398.exe Token: SeLockMemoryPrivilege 4304 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 4304 tgytutrc5398.exe Token: SeDebugPrivilege 1436 tgytutrc5398.exe Token: SeBackupPrivilege 1436 tgytutrc5398.exe Token: SeRestorePrivilege 1436 tgytutrc5398.exe Token: SeLockMemoryPrivilege 1436 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 1436 tgytutrc5398.exe Token: SeDebugPrivilege 1420 tgytutrc5398.exe Token: SeBackupPrivilege 1420 tgytutrc5398.exe Token: SeRestorePrivilege 1420 tgytutrc5398.exe Token: SeLockMemoryPrivilege 1420 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 1420 tgytutrc5398.exe Token: SeDebugPrivilege 1144 tgytutrc5398.exe Token: SeBackupPrivilege 1144 tgytutrc5398.exe Token: SeRestorePrivilege 1144 tgytutrc5398.exe Token: SeLockMemoryPrivilege 1144 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 1144 tgytutrc5398.exe Token: SeDebugPrivilege 208 tgytutrc5398.exe Token: SeBackupPrivilege 208 tgytutrc5398.exe Token: SeRestorePrivilege 208 tgytutrc5398.exe Token: SeLockMemoryPrivilege 208 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 208 tgytutrc5398.exe Token: SeDebugPrivilege 1832 tgytutrc5398.exe Token: SeBackupPrivilege 1832 tgytutrc5398.exe Token: SeRestorePrivilege 1832 tgytutrc5398.exe Token: SeLockMemoryPrivilege 1832 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 1832 tgytutrc5398.exe Token: SeDebugPrivilege 3272 tgytutrc5398.exe Token: SeBackupPrivilege 3272 tgytutrc5398.exe Token: SeRestorePrivilege 3272 tgytutrc5398.exe Token: SeLockMemoryPrivilege 3272 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 3272 tgytutrc5398.exe Token: SeDebugPrivilege 3568 tgytutrc5398.exe Token: SeBackupPrivilege 3568 tgytutrc5398.exe Token: SeRestorePrivilege 3568 tgytutrc5398.exe Token: SeLockMemoryPrivilege 3568 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 3568 tgytutrc5398.exe Token: SeDebugPrivilege 2292 tgytutrc5398.exe Token: SeBackupPrivilege 2292 tgytutrc5398.exe Token: SeRestorePrivilege 2292 tgytutrc5398.exe Token: SeLockMemoryPrivilege 2292 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 2292 tgytutrc5398.exe Token: SeDebugPrivilege 3628 tgytutrc5398.exe Token: SeBackupPrivilege 3628 tgytutrc5398.exe Token: SeRestorePrivilege 3628 tgytutrc5398.exe Token: SeLockMemoryPrivilege 3628 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 3628 tgytutrc5398.exe Token: SeDebugPrivilege 2732 tgytutrc5398.exe Token: SeBackupPrivilege 2732 tgytutrc5398.exe Token: SeRestorePrivilege 2732 tgytutrc5398.exe Token: SeLockMemoryPrivilege 2732 tgytutrc5398.exe Token: SeCreateGlobalPrivilege 2732 tgytutrc5398.exe Token: SeDebugPrivilege 3520 tgytutrc5398.exe Token: SeBackupPrivilege 3520 tgytutrc5398.exe Token: SeRestorePrivilege 3520 tgytutrc5398.exe Token: SeLockMemoryPrivilege 3520 tgytutrc5398.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 2636 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe 84 PID 1304 wrote to memory of 2636 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe 84 PID 1304 wrote to memory of 4304 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe 86 PID 1304 wrote to memory of 4304 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe 86 PID 1304 wrote to memory of 4304 1304 55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe 86 PID 4304 wrote to memory of 2544 4304 tgytutrc5398.exe 87 PID 4304 wrote to memory of 2544 4304 tgytutrc5398.exe 87 PID 4304 wrote to memory of 4360 4304 tgytutrc5398.exe 93 PID 4304 wrote to memory of 4360 4304 tgytutrc5398.exe 93 PID 4304 wrote to memory of 384 4304 tgytutrc5398.exe 92 PID 4304 wrote to memory of 384 4304 tgytutrc5398.exe 92 PID 4304 wrote to memory of 3280 4304 tgytutrc5398.exe 90 PID 4304 wrote to memory of 3280 4304 tgytutrc5398.exe 90 PID 4304 wrote to memory of 4404 4304 tgytutrc5398.exe 89 PID 4304 wrote to memory of 4404 4304 tgytutrc5398.exe 89 PID 4304 wrote to memory of 1276 4304 tgytutrc5398.exe 97 PID 4304 wrote to memory of 1276 4304 tgytutrc5398.exe 97 PID 1276 wrote to memory of 4976 1276 net.exe 99 PID 1276 wrote to memory of 4976 1276 net.exe 99 PID 4304 wrote to memory of 4332 4304 tgytutrc5398.exe 101 PID 4304 wrote to memory of 4332 4304 tgytutrc5398.exe 101 PID 4332 wrote to memory of 3380 4332 net.exe 103 PID 4332 wrote to memory of 3380 4332 net.exe 103 PID 4304 wrote to memory of 1436 4304 tgytutrc5398.exe 104 PID 4304 wrote to memory of 1436 4304 tgytutrc5398.exe 104 PID 4304 wrote to memory of 1436 4304 tgytutrc5398.exe 104 PID 4304 wrote to memory of 1420 4304 tgytutrc5398.exe 106 PID 4304 wrote to memory of 1420 4304 tgytutrc5398.exe 106 PID 4304 wrote to memory of 1420 4304 tgytutrc5398.exe 106 PID 4304 wrote to memory of 1144 4304 tgytutrc5398.exe 105 PID 4304 wrote to memory of 1144 4304 tgytutrc5398.exe 105 PID 4304 wrote to memory of 1144 4304 tgytutrc5398.exe 105 PID 4304 wrote to memory of 208 4304 tgytutrc5398.exe 110 PID 4304 wrote to memory of 208 4304 tgytutrc5398.exe 110 PID 4304 wrote to memory of 208 4304 tgytutrc5398.exe 110 PID 4304 wrote to memory of 1832 4304 tgytutrc5398.exe 111 PID 4304 wrote to memory of 1832 4304 tgytutrc5398.exe 111 PID 4304 wrote to memory of 1832 4304 tgytutrc5398.exe 111 PID 4304 wrote to memory of 3272 4304 tgytutrc5398.exe 113 PID 4304 wrote to memory of 3272 4304 tgytutrc5398.exe 113 PID 4304 wrote to memory of 3272 4304 tgytutrc5398.exe 113 PID 4304 wrote to memory of 3568 4304 tgytutrc5398.exe 114 PID 4304 wrote to memory of 3568 4304 tgytutrc5398.exe 114 PID 4304 wrote to memory of 3568 4304 tgytutrc5398.exe 114 PID 4304 wrote to memory of 2292 4304 tgytutrc5398.exe 115 PID 4304 wrote to memory of 2292 4304 tgytutrc5398.exe 115 PID 4304 wrote to memory of 2292 4304 tgytutrc5398.exe 115 PID 4304 wrote to memory of 3628 4304 tgytutrc5398.exe 116 PID 4304 wrote to memory of 3628 4304 tgytutrc5398.exe 116 PID 4304 wrote to memory of 3628 4304 tgytutrc5398.exe 116 PID 4304 wrote to memory of 2732 4304 tgytutrc5398.exe 118 PID 4304 wrote to memory of 2732 4304 tgytutrc5398.exe 118 PID 4304 wrote to memory of 2732 4304 tgytutrc5398.exe 118 PID 4304 wrote to memory of 3520 4304 tgytutrc5398.exe 120 PID 4304 wrote to memory of 3520 4304 tgytutrc5398.exe 120 PID 4304 wrote to memory of 3520 4304 tgytutrc5398.exe 120 PID 4304 wrote to memory of 4804 4304 tgytutrc5398.exe 122 PID 4304 wrote to memory of 4804 4304 tgytutrc5398.exe 122 PID 4304 wrote to memory of 4804 4304 tgytutrc5398.exe 122 PID 4304 wrote to memory of 3724 4304 tgytutrc5398.exe 123 PID 4304 wrote to memory of 3724 4304 tgytutrc5398.exe 123 PID 4304 wrote to memory of 3724 4304 tgytutrc5398.exe 123 PID 4304 wrote to memory of 4796 4304 tgytutrc5398.exe 125 PID 4304 wrote to memory of 4796 4304 tgytutrc5398.exe 125
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe"C:\Users\Admin\AppData\Local\Temp\55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\55d28e9c577d54732a546acb9b74a12e20cf25afab9636273abcabbb1a00e83d.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe2⤵
- Suspicious behavior: RenamesItself
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -m2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:2544
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:4404
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:3280
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:384
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:4360
-
-
C:\Windows\system32\net.exeC:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD3⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD4⤵PID:4976
-
-
-
C:\Windows\system32\net.exeC:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD3⤵
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD4⤵PID:3380
-
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4804
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3724
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:2356
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:392
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:5108
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4984
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc5398.exe -i SM-tgytutrc -s3⤵PID:2388
-
-