Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
180s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01/02/2022, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe
-
Size
1.2MB
-
MD5
b87ec964ef135f5c93c279e4e8121b15
-
SHA1
7f8b55e5702ee4dea1e24a0fd8db4e1312c66b90
-
SHA256
46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8
-
SHA512
49c6198e67cc1b2cfdc9b1d0247d9111f6b3e1e2cb030cbcd46bd8d5f463cb48e0dd2dc4ce625303b1c13fb0ed5954939d6aef0f98bb74b518fa4243be5d4421
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Desktop\README_LOCKED.txt
Ransom Note
Greetings!
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.
To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security
To get information on the price of the decoder contact us at:
[email protected]
[email protected]
Signatures
-
LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar tgytutrc9530.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms tgytutrc9530.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html tgytutrc9530.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui tgytutrc9530.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc tgytutrc9530.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\zip.dll tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt tgytutrc9530.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar tgytutrc9530.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunec.jar tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\THMBNAIL.PNG tgytutrc9530.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll tgytutrc9530.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\libdirect3d9_filters_plugin.dll tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt tgytutrc9530.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt tgytutrc9530.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml tgytutrc9530.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\currency.data tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.Interfaces.dll tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE tgytutrc9530.exe File opened for modification C:\Program Files\VideoLAN\VLC\npvlc.dll tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_TW.properties tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL tgytutrc9530.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_d3d.dll tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX tgytutrc9530.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll tgytutrc9530.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties tgytutrc9530.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT632.CNV tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM tgytutrc9530.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms tgytutrc9530.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe tgytutrc9530.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3536 tgytutrc9530.exe 3708 tgytutrc9530.exe 3536 tgytutrc9530.exe 3708 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3536 tgytutrc9530.exe 3696 tgytutrc9530.exe 3536 tgytutrc9530.exe 3696 tgytutrc9530.exe 3696 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 4224 tgytutrc9530.exe 4224 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 4224 tgytutrc9530.exe 4224 tgytutrc9530.exe 4224 tgytutrc9530.exe 4224 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3708 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 3536 tgytutrc9530.exe 4580 tgytutrc9530.exe 4580 tgytutrc9530.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1016 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe Token: SeBackupPrivilege 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe Token: SeRestorePrivilege 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe Token: SeLockMemoryPrivilege 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe Token: SeCreateGlobalPrivilege 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe Token: SeDebugPrivilege 4560 tgytutrc9530.exe Token: SeBackupPrivilege 4560 tgytutrc9530.exe Token: SeRestorePrivilege 4560 tgytutrc9530.exe Token: SeLockMemoryPrivilege 4560 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 4560 tgytutrc9530.exe Token: SeDebugPrivilege 3536 tgytutrc9530.exe Token: SeBackupPrivilege 3536 tgytutrc9530.exe Token: SeRestorePrivilege 3536 tgytutrc9530.exe Token: SeLockMemoryPrivilege 3536 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 3536 tgytutrc9530.exe Token: SeDebugPrivilege 3708 tgytutrc9530.exe Token: SeBackupPrivilege 3708 tgytutrc9530.exe Token: SeRestorePrivilege 3708 tgytutrc9530.exe Token: SeLockMemoryPrivilege 3708 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 3708 tgytutrc9530.exe Token: SeDebugPrivilege 3696 tgytutrc9530.exe Token: SeBackupPrivilege 3696 tgytutrc9530.exe Token: SeRestorePrivilege 3696 tgytutrc9530.exe Token: SeLockMemoryPrivilege 3696 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 3696 tgytutrc9530.exe Token: SeDebugPrivilege 4224 tgytutrc9530.exe Token: SeBackupPrivilege 4224 tgytutrc9530.exe Token: SeRestorePrivilege 4224 tgytutrc9530.exe Token: SeLockMemoryPrivilege 4224 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 4224 tgytutrc9530.exe Token: SeDebugPrivilege 4580 tgytutrc9530.exe Token: SeBackupPrivilege 4580 tgytutrc9530.exe Token: SeRestorePrivilege 4580 tgytutrc9530.exe Token: SeLockMemoryPrivilege 4580 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 4580 tgytutrc9530.exe Token: SeDebugPrivilege 1788 tgytutrc9530.exe Token: SeBackupPrivilege 1788 tgytutrc9530.exe Token: SeRestorePrivilege 1788 tgytutrc9530.exe Token: SeLockMemoryPrivilege 1788 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 1788 tgytutrc9530.exe Token: SeDebugPrivilege 4072 tgytutrc9530.exe Token: SeBackupPrivilege 4072 tgytutrc9530.exe Token: SeRestorePrivilege 4072 tgytutrc9530.exe Token: SeLockMemoryPrivilege 4072 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 4072 tgytutrc9530.exe Token: SeDebugPrivilege 664 tgytutrc9530.exe Token: SeBackupPrivilege 664 tgytutrc9530.exe Token: SeRestorePrivilege 664 tgytutrc9530.exe Token: SeLockMemoryPrivilege 664 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 664 tgytutrc9530.exe Token: SeDebugPrivilege 2288 tgytutrc9530.exe Token: SeBackupPrivilege 2288 tgytutrc9530.exe Token: SeRestorePrivilege 2288 tgytutrc9530.exe Token: SeLockMemoryPrivilege 2288 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 2288 tgytutrc9530.exe Token: SeDebugPrivilege 1792 tgytutrc9530.exe Token: SeBackupPrivilege 1792 tgytutrc9530.exe Token: SeRestorePrivilege 1792 tgytutrc9530.exe Token: SeLockMemoryPrivilege 1792 tgytutrc9530.exe Token: SeCreateGlobalPrivilege 1792 tgytutrc9530.exe Token: SeDebugPrivilege 460 tgytutrc9530.exe Token: SeBackupPrivilege 460 tgytutrc9530.exe Token: SeRestorePrivilege 460 tgytutrc9530.exe Token: SeLockMemoryPrivilege 460 tgytutrc9530.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4532 wrote to memory of 1016 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe 84 PID 4532 wrote to memory of 1016 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe 84 PID 4532 wrote to memory of 4560 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe 86 PID 4532 wrote to memory of 4560 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe 86 PID 4532 wrote to memory of 4560 4532 46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe 86 PID 4560 wrote to memory of 1744 4560 tgytutrc9530.exe 87 PID 4560 wrote to memory of 1744 4560 tgytutrc9530.exe 87 PID 4560 wrote to memory of 1632 4560 tgytutrc9530.exe 96 PID 4560 wrote to memory of 1632 4560 tgytutrc9530.exe 96 PID 4560 wrote to memory of 3316 4560 tgytutrc9530.exe 95 PID 4560 wrote to memory of 3316 4560 tgytutrc9530.exe 95 PID 4560 wrote to memory of 4200 4560 tgytutrc9530.exe 94 PID 4560 wrote to memory of 4200 4560 tgytutrc9530.exe 94 PID 4560 wrote to memory of 1672 4560 tgytutrc9530.exe 88 PID 4560 wrote to memory of 1672 4560 tgytutrc9530.exe 88 PID 4560 wrote to memory of 2240 4560 tgytutrc9530.exe 97 PID 4560 wrote to memory of 2240 4560 tgytutrc9530.exe 97 PID 2240 wrote to memory of 4796 2240 net.exe 101 PID 2240 wrote to memory of 4796 2240 net.exe 101 PID 4560 wrote to memory of 4148 4560 tgytutrc9530.exe 102 PID 4560 wrote to memory of 4148 4560 tgytutrc9530.exe 102 PID 4148 wrote to memory of 4036 4148 net.exe 104 PID 4148 wrote to memory of 4036 4148 net.exe 104 PID 4560 wrote to memory of 3696 4560 tgytutrc9530.exe 106 PID 4560 wrote to memory of 3696 4560 tgytutrc9530.exe 106 PID 4560 wrote to memory of 3696 4560 tgytutrc9530.exe 106 PID 4560 wrote to memory of 3708 4560 tgytutrc9530.exe 108 PID 4560 wrote to memory of 3708 4560 tgytutrc9530.exe 108 PID 4560 wrote to memory of 3708 4560 tgytutrc9530.exe 108 PID 4560 wrote to memory of 3536 4560 tgytutrc9530.exe 107 PID 4560 wrote to memory of 3536 4560 tgytutrc9530.exe 107 PID 4560 wrote to memory of 3536 4560 tgytutrc9530.exe 107 PID 4560 wrote to memory of 4224 4560 tgytutrc9530.exe 109 PID 4560 wrote to memory of 4224 4560 tgytutrc9530.exe 109 PID 4560 wrote to memory of 4224 4560 tgytutrc9530.exe 109 PID 4560 wrote to memory of 4580 4560 tgytutrc9530.exe 110 PID 4560 wrote to memory of 4580 4560 tgytutrc9530.exe 110 PID 4560 wrote to memory of 4580 4560 tgytutrc9530.exe 110 PID 4560 wrote to memory of 1788 4560 tgytutrc9530.exe 112 PID 4560 wrote to memory of 1788 4560 tgytutrc9530.exe 112 PID 4560 wrote to memory of 1788 4560 tgytutrc9530.exe 112 PID 4560 wrote to memory of 4072 4560 tgytutrc9530.exe 113 PID 4560 wrote to memory of 4072 4560 tgytutrc9530.exe 113 PID 4560 wrote to memory of 4072 4560 tgytutrc9530.exe 113 PID 4560 wrote to memory of 664 4560 tgytutrc9530.exe 115 PID 4560 wrote to memory of 664 4560 tgytutrc9530.exe 115 PID 4560 wrote to memory of 664 4560 tgytutrc9530.exe 115 PID 4560 wrote to memory of 2288 4560 tgytutrc9530.exe 117 PID 4560 wrote to memory of 2288 4560 tgytutrc9530.exe 117 PID 4560 wrote to memory of 2288 4560 tgytutrc9530.exe 117 PID 4560 wrote to memory of 1792 4560 tgytutrc9530.exe 118 PID 4560 wrote to memory of 1792 4560 tgytutrc9530.exe 118 PID 4560 wrote to memory of 1792 4560 tgytutrc9530.exe 118 PID 4560 wrote to memory of 460 4560 tgytutrc9530.exe 119 PID 4560 wrote to memory of 460 4560 tgytutrc9530.exe 119 PID 4560 wrote to memory of 460 4560 tgytutrc9530.exe 119 PID 4560 wrote to memory of 3032 4560 tgytutrc9530.exe 120 PID 4560 wrote to memory of 3032 4560 tgytutrc9530.exe 120 PID 4560 wrote to memory of 3032 4560 tgytutrc9530.exe 120 PID 4560 wrote to memory of 2124 4560 tgytutrc9530.exe 122 PID 4560 wrote to memory of 2124 4560 tgytutrc9530.exe 122 PID 4560 wrote to memory of 2124 4560 tgytutrc9530.exe 122 PID 4560 wrote to memory of 2236 4560 tgytutrc9530.exe 123 PID 4560 wrote to memory of 2236 4560 tgytutrc9530.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe"C:\Users\Admin\AppData\Local\Temp\46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\46cf2fdc445858a66152c550e16858754320963a06fd90bcab56e1d287fa48d8.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe2⤵
- Suspicious behavior: RenamesItself
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -m2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:1744
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:1672
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:4200
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:3316
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:1632
-
-
C:\Windows\system32\net.exeC:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD4⤵PID:4796
-
-
-
C:\Windows\system32\net.exeC:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD3⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD4⤵PID:4036
-
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:460
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4200
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:1124
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:1036
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:532
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4824
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc9530.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:4176
-
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 38d8850c14d73b838c7266b6109dfc8f PPhOZ3TibEms6cG7B6yjiw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
PID:5020