Analysis
-
max time kernel
188s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01/02/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe
-
Size
1.2MB
-
MD5
8a89e5c03754adcefc90140c4c390076
-
SHA1
9e1fe27a25bd5d36c1d057b7d074dc7ec1ff0240
-
SHA256
796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a
-
SHA512
3eafe2364124e55060629cabc2b2cb4974b4074e35704fac0447cc8f8f8cc3a2540a94cc381b4b4a305666ba97f67b5097ba00871318d948a915ad134e256851
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Desktop\README_LOCKED.txt
Ransom Note
Greetings!
There was a significant flaw in the security system of your company.
You should be thankful that the flaw was exploited by serious people and not some rookies.
They would have damaged all of your data by mistake or for fun.
Your files are encrypted with the strongest military algorithms RSA4096 and AES-256.
Without our special decoder it is impossible to restore the data.
Attempts to restore your data with third party software as Photorec, RannohDecryptor etc.
will lead to irreversible destruction of your data.
To confirm our honest intentions.
Send us 2-3 different random files and you will get them decrypted.
It can be from different computers on your network to be sure that our decoder decrypts everything.
Sample files we unlock for free (files should not be related to any kind of backups).
We exclusively have decryption software for your situation
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME the encrypted files.
DO NOT MOVE the encrypted files.
This may lead to the impossibility of recovery of the certain files.
The payment has to be made in Bitcoins.
The final price depends on how fast you contact us.
As soon as we receive the payment you will get the decryption tool and
instructions on how to improve your systems security
To get information on the price of the decoder contact us at:
[email protected]
[email protected]
Signatures
-
LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll tgytutrc6753.exe File opened for modification C:\Program Files\InitializeTrace.rm tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java_crw_demo.dll tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\en-US\wab32res.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\splash.gif tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties tgytutrc6753.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll tgytutrc6753.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\zip.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc tgytutrc6753.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sw.pak tgytutrc6753.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\d3dcompiler_47.dll tgytutrc6753.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui tgytutrc6753.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1840 tgytutrc6753.exe 2692 tgytutrc6753.exe 1840 tgytutrc6753.exe 2692 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1840 tgytutrc6753.exe 1840 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 3240 tgytutrc6753.exe 3240 tgytutrc6753.exe 1868 tgytutrc6753.exe 1868 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3240 tgytutrc6753.exe 3240 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3240 tgytutrc6753.exe 3240 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3432 tgytutrc6753.exe 3240 tgytutrc6753.exe 3240 tgytutrc6753.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3436 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe Token: SeBackupPrivilege 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe Token: SeRestorePrivilege 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe Token: SeLockMemoryPrivilege 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe Token: SeCreateGlobalPrivilege 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe Token: SeDebugPrivilege 2492 tgytutrc6753.exe Token: SeBackupPrivilege 2492 tgytutrc6753.exe Token: SeRestorePrivilege 2492 tgytutrc6753.exe Token: SeLockMemoryPrivilege 2492 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 2492 tgytutrc6753.exe Token: SeDebugPrivilege 1868 tgytutrc6753.exe Token: SeBackupPrivilege 1868 tgytutrc6753.exe Token: SeRestorePrivilege 1868 tgytutrc6753.exe Token: SeLockMemoryPrivilege 1868 tgytutrc6753.exe Token: SeDebugPrivilege 2692 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 1868 tgytutrc6753.exe Token: SeBackupPrivilege 2692 tgytutrc6753.exe Token: SeRestorePrivilege 2692 tgytutrc6753.exe Token: SeLockMemoryPrivilege 2692 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 2692 tgytutrc6753.exe Token: SeDebugPrivilege 1840 tgytutrc6753.exe Token: SeBackupPrivilege 1840 tgytutrc6753.exe Token: SeRestorePrivilege 1840 tgytutrc6753.exe Token: SeLockMemoryPrivilege 1840 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 1840 tgytutrc6753.exe Token: SeDebugPrivilege 3240 tgytutrc6753.exe Token: SeBackupPrivilege 3240 tgytutrc6753.exe Token: SeRestorePrivilege 3240 tgytutrc6753.exe Token: SeLockMemoryPrivilege 3240 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 3240 tgytutrc6753.exe Token: SeDebugPrivilege 3432 tgytutrc6753.exe Token: SeBackupPrivilege 3432 tgytutrc6753.exe Token: SeRestorePrivilege 3432 tgytutrc6753.exe Token: SeLockMemoryPrivilege 3432 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 3432 tgytutrc6753.exe Token: SeDebugPrivilege 3668 tgytutrc6753.exe Token: SeBackupPrivilege 3668 tgytutrc6753.exe Token: SeRestorePrivilege 3668 tgytutrc6753.exe Token: SeLockMemoryPrivilege 3668 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 3668 tgytutrc6753.exe Token: SeDebugPrivilege 3048 tgytutrc6753.exe Token: SeBackupPrivilege 3048 tgytutrc6753.exe Token: SeRestorePrivilege 3048 tgytutrc6753.exe Token: SeLockMemoryPrivilege 3048 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 3048 tgytutrc6753.exe Token: SeDebugPrivilege 692 tgytutrc6753.exe Token: SeBackupPrivilege 692 tgytutrc6753.exe Token: SeRestorePrivilege 692 tgytutrc6753.exe Token: SeLockMemoryPrivilege 692 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 692 tgytutrc6753.exe Token: SeDebugPrivilege 3196 tgytutrc6753.exe Token: SeBackupPrivilege 3196 tgytutrc6753.exe Token: SeRestorePrivilege 3196 tgytutrc6753.exe Token: SeLockMemoryPrivilege 3196 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 3196 tgytutrc6753.exe Token: SeDebugPrivilege 1904 tgytutrc6753.exe Token: SeBackupPrivilege 1904 tgytutrc6753.exe Token: SeRestorePrivilege 1904 tgytutrc6753.exe Token: SeLockMemoryPrivilege 1904 tgytutrc6753.exe Token: SeCreateGlobalPrivilege 1904 tgytutrc6753.exe Token: SeDebugPrivilege 1708 tgytutrc6753.exe Token: SeBackupPrivilege 1708 tgytutrc6753.exe Token: SeRestorePrivilege 1708 tgytutrc6753.exe Token: SeLockMemoryPrivilege 1708 tgytutrc6753.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 3436 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe 57 PID 2104 wrote to memory of 3436 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe 57 PID 2104 wrote to memory of 2492 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe 59 PID 2104 wrote to memory of 2492 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe 59 PID 2104 wrote to memory of 2492 2104 796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe 59 PID 2492 wrote to memory of 2516 2492 tgytutrc6753.exe 60 PID 2492 wrote to memory of 2516 2492 tgytutrc6753.exe 60 PID 2492 wrote to memory of 2736 2492 tgytutrc6753.exe 63 PID 2492 wrote to memory of 2736 2492 tgytutrc6753.exe 63 PID 2492 wrote to memory of 3968 2492 tgytutrc6753.exe 62 PID 2492 wrote to memory of 3968 2492 tgytutrc6753.exe 62 PID 2492 wrote to memory of 3372 2492 tgytutrc6753.exe 64 PID 2492 wrote to memory of 3372 2492 tgytutrc6753.exe 64 PID 2492 wrote to memory of 2580 2492 tgytutrc6753.exe 69 PID 2492 wrote to memory of 2580 2492 tgytutrc6753.exe 69 PID 2492 wrote to memory of 3828 2492 tgytutrc6753.exe 70 PID 2492 wrote to memory of 3828 2492 tgytutrc6753.exe 70 PID 3828 wrote to memory of 2908 3828 net.exe 72 PID 3828 wrote to memory of 2908 3828 net.exe 72 PID 2492 wrote to memory of 3892 2492 tgytutrc6753.exe 73 PID 2492 wrote to memory of 3892 2492 tgytutrc6753.exe 73 PID 3892 wrote to memory of 3316 3892 net.exe 75 PID 3892 wrote to memory of 3316 3892 net.exe 75 PID 2492 wrote to memory of 2692 2492 tgytutrc6753.exe 76 PID 2492 wrote to memory of 2692 2492 tgytutrc6753.exe 76 PID 2492 wrote to memory of 2692 2492 tgytutrc6753.exe 76 PID 2492 wrote to memory of 1840 2492 tgytutrc6753.exe 78 PID 2492 wrote to memory of 1840 2492 tgytutrc6753.exe 78 PID 2492 wrote to memory of 1840 2492 tgytutrc6753.exe 78 PID 2492 wrote to memory of 1868 2492 tgytutrc6753.exe 77 PID 2492 wrote to memory of 1868 2492 tgytutrc6753.exe 77 PID 2492 wrote to memory of 1868 2492 tgytutrc6753.exe 77 PID 2492 wrote to memory of 3240 2492 tgytutrc6753.exe 81 PID 2492 wrote to memory of 3240 2492 tgytutrc6753.exe 81 PID 2492 wrote to memory of 3240 2492 tgytutrc6753.exe 81 PID 2492 wrote to memory of 3432 2492 tgytutrc6753.exe 82 PID 2492 wrote to memory of 3432 2492 tgytutrc6753.exe 82 PID 2492 wrote to memory of 3432 2492 tgytutrc6753.exe 82 PID 2492 wrote to memory of 3668 2492 tgytutrc6753.exe 84 PID 2492 wrote to memory of 3668 2492 tgytutrc6753.exe 84 PID 2492 wrote to memory of 3668 2492 tgytutrc6753.exe 84 PID 2492 wrote to memory of 3048 2492 tgytutrc6753.exe 85 PID 2492 wrote to memory of 3048 2492 tgytutrc6753.exe 85 PID 2492 wrote to memory of 3048 2492 tgytutrc6753.exe 85 PID 2492 wrote to memory of 692 2492 tgytutrc6753.exe 86 PID 2492 wrote to memory of 692 2492 tgytutrc6753.exe 86 PID 2492 wrote to memory of 692 2492 tgytutrc6753.exe 86 PID 2492 wrote to memory of 3196 2492 tgytutrc6753.exe 87 PID 2492 wrote to memory of 3196 2492 tgytutrc6753.exe 87 PID 2492 wrote to memory of 3196 2492 tgytutrc6753.exe 87 PID 2492 wrote to memory of 1904 2492 tgytutrc6753.exe 88 PID 2492 wrote to memory of 1904 2492 tgytutrc6753.exe 88 PID 2492 wrote to memory of 1904 2492 tgytutrc6753.exe 88 PID 2492 wrote to memory of 1708 2492 tgytutrc6753.exe 89 PID 2492 wrote to memory of 1708 2492 tgytutrc6753.exe 89 PID 2492 wrote to memory of 1708 2492 tgytutrc6753.exe 89 PID 2492 wrote to memory of 2304 2492 tgytutrc6753.exe 91 PID 2492 wrote to memory of 2304 2492 tgytutrc6753.exe 91 PID 2492 wrote to memory of 2304 2492 tgytutrc6753.exe 91 PID 2492 wrote to memory of 3056 2492 tgytutrc6753.exe 92 PID 2492 wrote to memory of 3056 2492 tgytutrc6753.exe 92 PID 2492 wrote to memory of 3056 2492 tgytutrc6753.exe 92 PID 2492 wrote to memory of 3516 2492 tgytutrc6753.exe 94 PID 2492 wrote to memory of 3516 2492 tgytutrc6753.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe"C:\Users\Admin\AppData\Local\Temp\796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\796e87c1cf5c8e271c3a8893931f64040e0689fb254a8525e99f6739b190de2a.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe2⤵
- Suspicious behavior: RenamesItself
PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -m2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:2516
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:3968
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:2736
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:3372
-
-
C:\Windows\system32\logoff.exeC:\Windows\system32\logoff.exe 03⤵PID:2580
-
-
C:\Windows\system32\net.exeC:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD3⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD4⤵PID:2908
-
-
-
C:\Windows\system32\net.exeC:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD3⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD4⤵PID:3316
-
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:3516
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵
- Drops file in Program Files directory
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exeC:\Users\Admin\AppData\Local\Temp\tgytutrc6753.exe -i SM-tgytutrc -s3⤵PID:3960
-
-
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:1860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵PID:1164