lockergoga | 037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310

Analysis

max time kernel
159s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01/02/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Size

1.2MB
MD5

1f63061d9ace24c0b6a62332bef23859
SHA1

3983993ede8c08f77fc0a0c30e7aefc0d623e1ee
SHA256

037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310
SHA512

e76c54267e7d5b9c5b05bc7a41737ea870551be3051330fc1edaf4008a6907db6da7e4db0aa2472fdbdd9ab6a7d59f859dc658ecf717a83d7f2eb202093ac686

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\InvokePush.otf	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.bfc	yxugwjud1355.exe
File opened for modification	C:\Program Files\Internet Explorer\sqmapi.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT	yxugwjud1355.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-awt.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-actions.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\hijrah-config-umalqura.properties	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\msvcp120.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\msvcr100.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt	yxugwjud1355.exe
File opened for modification	C:\Program Files\MeasureDisconnect.midi	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	yxugwjud1355.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll	yxugwjud1355.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto	yxugwjud1355.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
1864	yxugwjud1355.exe
1864	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
1864	yxugwjud1355.exe
1864	yxugwjud1355.exe
1864	yxugwjud1355.exe
1864	yxugwjud1355.exe
3220	yxugwjud1355.exe
3220	yxugwjud1355.exe
2396	yxugwjud1355.exe
2396	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe
4572	yxugwjud1355.exe
4572	yxugwjud1355.exe
1668	yxugwjud1355.exe
1668	yxugwjud1355.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2404	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeBackupPrivilege	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeRestorePrivilege	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeLockMemoryPrivilege	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeCreateGlobalPrivilege	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
Token: SeDebugPrivilege	2968	yxugwjud1355.exe
Token: SeBackupPrivilege	2968	yxugwjud1355.exe
Token: SeRestorePrivilege	2968	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	2968	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	2968	yxugwjud1355.exe
Token: SeDebugPrivilege	1668	yxugwjud1355.exe
Token: SeBackupPrivilege	1668	yxugwjud1355.exe
Token: SeRestorePrivilege	1668	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	1668	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	1668	yxugwjud1355.exe
Token: SeDebugPrivilege	1864	yxugwjud1355.exe
Token: SeBackupPrivilege	1864	yxugwjud1355.exe
Token: SeRestorePrivilege	1864	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	1864	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	1864	yxugwjud1355.exe
Token: SeDebugPrivilege	2396	yxugwjud1355.exe
Token: SeBackupPrivilege	2396	yxugwjud1355.exe
Token: SeRestorePrivilege	2396	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	2396	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	2396	yxugwjud1355.exe
Token: SeDebugPrivilege	3220	yxugwjud1355.exe
Token: SeBackupPrivilege	3220	yxugwjud1355.exe
Token: SeRestorePrivilege	3220	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	3220	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	3220	yxugwjud1355.exe
Token: SeDebugPrivilege	4572	yxugwjud1355.exe
Token: SeBackupPrivilege	4572	yxugwjud1355.exe
Token: SeRestorePrivilege	4572	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	4572	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	4572	yxugwjud1355.exe
Token: SeDebugPrivilege	320	yxugwjud1355.exe
Token: SeBackupPrivilege	320	yxugwjud1355.exe
Token: SeRestorePrivilege	320	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	320	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	320	yxugwjud1355.exe
Token: SeDebugPrivilege	4316	yxugwjud1355.exe
Token: SeBackupPrivilege	4316	yxugwjud1355.exe
Token: SeRestorePrivilege	4316	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	4316	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	4316	yxugwjud1355.exe
Token: SeDebugPrivilege	444	yxugwjud1355.exe
Token: SeBackupPrivilege	444	yxugwjud1355.exe
Token: SeRestorePrivilege	444	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	444	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	444	yxugwjud1355.exe
Token: SeDebugPrivilege	4356	yxugwjud1355.exe
Token: SeBackupPrivilege	4356	yxugwjud1355.exe
Token: SeRestorePrivilege	4356	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	4356	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	4356	yxugwjud1355.exe
Token: SeDebugPrivilege	2260	yxugwjud1355.exe
Token: SeBackupPrivilege	2260	yxugwjud1355.exe
Token: SeRestorePrivilege	2260	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	2260	yxugwjud1355.exe
Token: SeCreateGlobalPrivilege	2260	yxugwjud1355.exe
Token: SeDebugPrivilege	4824	yxugwjud1355.exe
Token: SeBackupPrivilege	4824	yxugwjud1355.exe
Token: SeRestorePrivilege	4824	yxugwjud1355.exe
Token: SeLockMemoryPrivilege	4824	yxugwjud1355.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2404	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	85
PID 4724 wrote to memory of 2404	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	85
PID 4724 wrote to memory of 2968	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	87
PID 4724 wrote to memory of 2968	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	87
PID 4724 wrote to memory of 2968	4724	037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe	87
PID 2968 wrote to memory of 1668	2968	yxugwjud1355.exe	89
PID 2968 wrote to memory of 1668	2968	yxugwjud1355.exe	89
PID 2968 wrote to memory of 1668	2968	yxugwjud1355.exe	89
PID 2968 wrote to memory of 1864	2968	yxugwjud1355.exe	88
PID 2968 wrote to memory of 1864	2968	yxugwjud1355.exe	88
PID 2968 wrote to memory of 1864	2968	yxugwjud1355.exe	88
PID 2968 wrote to memory of 3220	2968	yxugwjud1355.exe	90
PID 2968 wrote to memory of 3220	2968	yxugwjud1355.exe	90
PID 2968 wrote to memory of 3220	2968	yxugwjud1355.exe	90
PID 2968 wrote to memory of 2396	2968	yxugwjud1355.exe	91
PID 2968 wrote to memory of 2396	2968	yxugwjud1355.exe	91
PID 2968 wrote to memory of 2396	2968	yxugwjud1355.exe	91
PID 2968 wrote to memory of 4572	2968	yxugwjud1355.exe	93
PID 2968 wrote to memory of 4572	2968	yxugwjud1355.exe	93
PID 2968 wrote to memory of 4572	2968	yxugwjud1355.exe	93
PID 2968 wrote to memory of 320	2968	yxugwjud1355.exe	95
PID 2968 wrote to memory of 320	2968	yxugwjud1355.exe	95
PID 2968 wrote to memory of 320	2968	yxugwjud1355.exe	95
PID 2968 wrote to memory of 4316	2968	yxugwjud1355.exe	96
PID 2968 wrote to memory of 4316	2968	yxugwjud1355.exe	96
PID 2968 wrote to memory of 4316	2968	yxugwjud1355.exe	96
PID 2968 wrote to memory of 444	2968	yxugwjud1355.exe	97
PID 2968 wrote to memory of 444	2968	yxugwjud1355.exe	97
PID 2968 wrote to memory of 444	2968	yxugwjud1355.exe	97
PID 2968 wrote to memory of 4356	2968	yxugwjud1355.exe	98
PID 2968 wrote to memory of 4356	2968	yxugwjud1355.exe	98
PID 2968 wrote to memory of 4356	2968	yxugwjud1355.exe	98
PID 2968 wrote to memory of 2260	2968	yxugwjud1355.exe	99
PID 2968 wrote to memory of 2260	2968	yxugwjud1355.exe	99
PID 2968 wrote to memory of 2260	2968	yxugwjud1355.exe	99
PID 2968 wrote to memory of 4824	2968	yxugwjud1355.exe	100
PID 2968 wrote to memory of 4824	2968	yxugwjud1355.exe	100
PID 2968 wrote to memory of 4824	2968	yxugwjud1355.exe	100
PID 2968 wrote to memory of 3172	2968	yxugwjud1355.exe	102
PID 2968 wrote to memory of 3172	2968	yxugwjud1355.exe	102
PID 2968 wrote to memory of 3172	2968	yxugwjud1355.exe	102
PID 2968 wrote to memory of 792	2968	yxugwjud1355.exe	104
PID 2968 wrote to memory of 792	2968	yxugwjud1355.exe	104
PID 2968 wrote to memory of 792	2968	yxugwjud1355.exe	104
PID 2968 wrote to memory of 4224	2968	yxugwjud1355.exe	105
PID 2968 wrote to memory of 4224	2968	yxugwjud1355.exe	105
PID 2968 wrote to memory of 4224	2968	yxugwjud1355.exe	105
PID 2968 wrote to memory of 3368	2968	yxugwjud1355.exe	106
PID 2968 wrote to memory of 3368	2968	yxugwjud1355.exe	106
PID 2968 wrote to memory of 3368	2968	yxugwjud1355.exe	106
PID 2968 wrote to memory of 4632	2968	yxugwjud1355.exe	107
PID 2968 wrote to memory of 4632	2968	yxugwjud1355.exe	107
PID 2968 wrote to memory of 4632	2968	yxugwjud1355.exe	107
PID 2968 wrote to memory of 4104	2968	yxugwjud1355.exe	109
PID 2968 wrote to memory of 4104	2968	yxugwjud1355.exe	109
PID 2968 wrote to memory of 4104	2968	yxugwjud1355.exe	109
PID 2968 wrote to memory of 1008	2968	yxugwjud1355.exe	110
PID 2968 wrote to memory of 1008	2968	yxugwjud1355.exe	110
PID 2968 wrote to memory of 1008	2968	yxugwjud1355.exe	110
PID 2968 wrote to memory of 2940	2968	yxugwjud1355.exe	112
PID 2968 wrote to memory of 2940	2968	yxugwjud1355.exe	112
PID 2968 wrote to memory of 2940	2968	yxugwjud1355.exe	112
PID 2968 wrote to memory of 3304	2968	yxugwjud1355.exe	113
PID 2968 wrote to memory of 3304	2968	yxugwjud1355.exe	113

C:\Users\Admin\AppData\Local\Temp\037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe
"C:\Users\Admin\AppData\Local\Temp\037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\037fbd08e82c6e6362f6c7cc1cf4d1afb0ba855e301642da5ebcfc6bb45ea310.exe C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
  C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:3172
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:792
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:3368
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4104
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1008
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:3304
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:3700
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4420
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:408
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    - Drops file in Program Files directory
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:5012
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4812
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:456
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4960
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe
    C:\Users\Admin\AppData\Local\Temp\yxugwjud1355.exe -i Global\SM-yxugwjud -s
    3⤵
    PID:2812

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads