lockergoga | 07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1

Analysis

max time kernel
175s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01/02/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
Size

1.2MB
MD5

744124ba8d0c7469e93dfd513de8e69f
SHA1

caf0e85e4574000639f1695e8d5cf4d87e1278f6
SHA256

07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1
SHA512

ce178ab37f4c06088f3a440e359d4d72e5d5719c00d701064409fa1b9cd083d84c42affe87d9f24554e3be42384be189aad5b0f3de3d798ecba22f54f9cb3a45

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_font.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\msasxpress.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\THIRDPARTYLICENSEREADME.txt	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496937509.profile.gz	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.winforms.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-oob.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\lpc.win32.bundle	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\npdeployJava1.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT	tgytutrc4287.exe
File opened for modification	C:\Program Files\Microsoft Office\ThinAppXManifest.xml	tgytutrc4287.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyclient.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\awt.dll	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf	tgytutrc4287.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar	tgytutrc4287.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
3672	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
5056	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3700	tgytutrc4287.exe
3700	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe
3428	tgytutrc4287.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3528	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
Token: SeBackupPrivilege	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
Token: SeRestorePrivilege	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
Token: SeLockMemoryPrivilege	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
Token: SeCreateGlobalPrivilege	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
Token: SeDebugPrivilege	4964	tgytutrc4287.exe
Token: SeBackupPrivilege	4964	tgytutrc4287.exe
Token: SeRestorePrivilege	4964	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	4964	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	4964	tgytutrc4287.exe
Token: SeDebugPrivilege	3672	tgytutrc4287.exe
Token: SeBackupPrivilege	3672	tgytutrc4287.exe
Token: SeRestorePrivilege	3672	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3672	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3672	tgytutrc4287.exe
Token: SeDebugPrivilege	3428	tgytutrc4287.exe
Token: SeBackupPrivilege	3428	tgytutrc4287.exe
Token: SeRestorePrivilege	3428	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3428	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3428	tgytutrc4287.exe
Token: SeDebugPrivilege	5056	tgytutrc4287.exe
Token: SeBackupPrivilege	5056	tgytutrc4287.exe
Token: SeRestorePrivilege	5056	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	5056	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	5056	tgytutrc4287.exe
Token: SeDebugPrivilege	3700	tgytutrc4287.exe
Token: SeBackupPrivilege	3700	tgytutrc4287.exe
Token: SeRestorePrivilege	3700	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3700	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3700	tgytutrc4287.exe
Token: SeDebugPrivilege	3944	tgytutrc4287.exe
Token: SeBackupPrivilege	3944	tgytutrc4287.exe
Token: SeRestorePrivilege	3944	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3944	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3944	tgytutrc4287.exe
Token: SeDebugPrivilege	5108	tgytutrc4287.exe
Token: SeBackupPrivilege	5108	tgytutrc4287.exe
Token: SeRestorePrivilege	5108	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	5108	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	5108	tgytutrc4287.exe
Token: SeDebugPrivilege	3156	tgytutrc4287.exe
Token: SeBackupPrivilege	3156	tgytutrc4287.exe
Token: SeRestorePrivilege	3156	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3156	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3156	tgytutrc4287.exe
Token: SeDebugPrivilege	3572	tgytutrc4287.exe
Token: SeBackupPrivilege	3572	tgytutrc4287.exe
Token: SeRestorePrivilege	3572	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3572	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3572	tgytutrc4287.exe
Token: SeDebugPrivilege	3592	tgytutrc4287.exe
Token: SeBackupPrivilege	3592	tgytutrc4287.exe
Token: SeRestorePrivilege	3592	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3592	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	3592	tgytutrc4287.exe
Token: SeDebugPrivilege	1676	tgytutrc4287.exe
Token: SeBackupPrivilege	1676	tgytutrc4287.exe
Token: SeRestorePrivilege	1676	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	1676	tgytutrc4287.exe
Token: SeCreateGlobalPrivilege	1676	tgytutrc4287.exe
Token: SeDebugPrivilege	3780	tgytutrc4287.exe
Token: SeBackupPrivilege	3780	tgytutrc4287.exe
Token: SeRestorePrivilege	3780	tgytutrc4287.exe
Token: SeLockMemoryPrivilege	3780	tgytutrc4287.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3528	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe	86
PID 4140 wrote to memory of 3528	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe	86
PID 4140 wrote to memory of 4964	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe	88
PID 4140 wrote to memory of 4964	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe	88
PID 4140 wrote to memory of 4964	4140	07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe	88
PID 4964 wrote to memory of 4876	4964	tgytutrc4287.exe	89
PID 4964 wrote to memory of 4876	4964	tgytutrc4287.exe	89
PID 4964 wrote to memory of 692	4964	tgytutrc4287.exe	90
PID 4964 wrote to memory of 692	4964	tgytutrc4287.exe	90
PID 4964 wrote to memory of 1264	4964	tgytutrc4287.exe	92
PID 4964 wrote to memory of 1264	4964	tgytutrc4287.exe	92
PID 4964 wrote to memory of 1724	4964	tgytutrc4287.exe	93
PID 4964 wrote to memory of 1724	4964	tgytutrc4287.exe	93
PID 4964 wrote to memory of 4312	4964	tgytutrc4287.exe	94
PID 4964 wrote to memory of 4312	4964	tgytutrc4287.exe	94
PID 4964 wrote to memory of 2880	4964	tgytutrc4287.exe	99
PID 4964 wrote to memory of 2880	4964	tgytutrc4287.exe	99
PID 2880 wrote to memory of 4100	2880	net.exe	101
PID 2880 wrote to memory of 4100	2880	net.exe	101
PID 4964 wrote to memory of 220	4964	tgytutrc4287.exe	103
PID 4964 wrote to memory of 220	4964	tgytutrc4287.exe	103
PID 220 wrote to memory of 4416	220	net.exe	105
PID 220 wrote to memory of 4416	220	net.exe	105
PID 4964 wrote to memory of 5056	4964	tgytutrc4287.exe	107
PID 4964 wrote to memory of 5056	4964	tgytutrc4287.exe	107
PID 4964 wrote to memory of 5056	4964	tgytutrc4287.exe	107
PID 4964 wrote to memory of 3428	4964	tgytutrc4287.exe	109
PID 4964 wrote to memory of 3428	4964	tgytutrc4287.exe	109
PID 4964 wrote to memory of 3428	4964	tgytutrc4287.exe	109
PID 4964 wrote to memory of 3672	4964	tgytutrc4287.exe	108
PID 4964 wrote to memory of 3672	4964	tgytutrc4287.exe	108
PID 4964 wrote to memory of 3672	4964	tgytutrc4287.exe	108
PID 4964 wrote to memory of 3700	4964	tgytutrc4287.exe	110
PID 4964 wrote to memory of 3700	4964	tgytutrc4287.exe	110
PID 4964 wrote to memory of 3700	4964	tgytutrc4287.exe	110
PID 4964 wrote to memory of 3944	4964	tgytutrc4287.exe	112
PID 4964 wrote to memory of 3944	4964	tgytutrc4287.exe	112
PID 4964 wrote to memory of 3944	4964	tgytutrc4287.exe	112
PID 4964 wrote to memory of 5108	4964	tgytutrc4287.exe	113
PID 4964 wrote to memory of 5108	4964	tgytutrc4287.exe	113
PID 4964 wrote to memory of 5108	4964	tgytutrc4287.exe	113
PID 4964 wrote to memory of 3156	4964	tgytutrc4287.exe	114
PID 4964 wrote to memory of 3156	4964	tgytutrc4287.exe	114
PID 4964 wrote to memory of 3156	4964	tgytutrc4287.exe	114
PID 4964 wrote to memory of 3572	4964	tgytutrc4287.exe	116
PID 4964 wrote to memory of 3572	4964	tgytutrc4287.exe	116
PID 4964 wrote to memory of 3572	4964	tgytutrc4287.exe	116
PID 4964 wrote to memory of 3592	4964	tgytutrc4287.exe	117
PID 4964 wrote to memory of 3592	4964	tgytutrc4287.exe	117
PID 4964 wrote to memory of 3592	4964	tgytutrc4287.exe	117
PID 4964 wrote to memory of 1676	4964	tgytutrc4287.exe	118
PID 4964 wrote to memory of 1676	4964	tgytutrc4287.exe	118
PID 4964 wrote to memory of 1676	4964	tgytutrc4287.exe	118
PID 4964 wrote to memory of 3780	4964	tgytutrc4287.exe	119
PID 4964 wrote to memory of 3780	4964	tgytutrc4287.exe	119
PID 4964 wrote to memory of 3780	4964	tgytutrc4287.exe	119
PID 4964 wrote to memory of 5116	4964	tgytutrc4287.exe	120
PID 4964 wrote to memory of 5116	4964	tgytutrc4287.exe	120
PID 4964 wrote to memory of 5116	4964	tgytutrc4287.exe	120
PID 4964 wrote to memory of 4764	4964	tgytutrc4287.exe	121
PID 4964 wrote to memory of 4764	4964	tgytutrc4287.exe	121
PID 4964 wrote to memory of 4764	4964	tgytutrc4287.exe	121
PID 4964 wrote to memory of 3188	4964	tgytutrc4287.exe	123
PID 4964 wrote to memory of 3188	4964	tgytutrc4287.exe	123

C:\Users\Admin\AppData\Local\Temp\07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe
"C:\Users\Admin\AppData\Local\Temp\07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\07f0cf878de3df525c97fa894c2165ed502ed5be4714b1ae07a0f48b5bfe16b1.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:4876
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:692
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1264
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1724
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:4312
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:4100
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:4416
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3944
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4260
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4584
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1972
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc4287.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1264

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads