lockergoga | 6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb

Analysis

max time kernel
166s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
01/02/2022, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
Size

1.2MB
MD5

8fa4c94a15a2f5cc419604f1379099c6
SHA1

9c26f8b6c7ba71c7acf2741b6a1291ca80376fc0
SHA256

6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb
SHA512

809755f5d08406e252717a60942de11a038abf628a6d3c8f7878167a64c78f0dd0b54ef73c3880b19879f9b918c4f23e3ad40f787f14bd4ac1eefe58ff304e69

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	tgytutrc8505.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\updater.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496937509.profile.gz	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926306.profile.gz	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-text.xml	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.clusters	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\zip.dll	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	tgytutrc8505.exe
File opened for modification	C:\Program Files\ImportResolve.doc	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprst.dll	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ru.pak	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	tgytutrc8505.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	tgytutrc8505.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
2704	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
3652	tgytutrc8505.exe
3652	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
3088	tgytutrc8505.exe
3088	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
3088	tgytutrc8505.exe
3088	tgytutrc8505.exe
3088	tgytutrc8505.exe
3088	tgytutrc8505.exe
2132	tgytutrc8505.exe
2132	tgytutrc8505.exe
3088	tgytutrc8505.exe
3088	tgytutrc8505.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3260	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
Token: SeBackupPrivilege	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
Token: SeRestorePrivilege	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
Token: SeLockMemoryPrivilege	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
Token: SeCreateGlobalPrivilege	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
Token: SeDebugPrivilege	3468	tgytutrc8505.exe
Token: SeBackupPrivilege	3468	tgytutrc8505.exe
Token: SeRestorePrivilege	3468	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	3468	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	3468	tgytutrc8505.exe
Token: SeDebugPrivilege	2132	tgytutrc8505.exe
Token: SeBackupPrivilege	2132	tgytutrc8505.exe
Token: SeRestorePrivilege	2132	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	2132	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	2132	tgytutrc8505.exe
Token: SeDebugPrivilege	2704	tgytutrc8505.exe
Token: SeBackupPrivilege	2704	tgytutrc8505.exe
Token: SeRestorePrivilege	2704	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	2704	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	2704	tgytutrc8505.exe
Token: SeDebugPrivilege	3652	tgytutrc8505.exe
Token: SeBackupPrivilege	3652	tgytutrc8505.exe
Token: SeRestorePrivilege	3652	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	3652	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	3652	tgytutrc8505.exe
Token: SeDebugPrivilege	3088	tgytutrc8505.exe
Token: SeBackupPrivilege	3088	tgytutrc8505.exe
Token: SeRestorePrivilege	3088	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	3088	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	3088	tgytutrc8505.exe
Token: SeDebugPrivilege	428	tgytutrc8505.exe
Token: SeBackupPrivilege	428	tgytutrc8505.exe
Token: SeRestorePrivilege	428	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	428	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	428	tgytutrc8505.exe
Token: SeDebugPrivilege	1912	tgytutrc8505.exe
Token: SeBackupPrivilege	1912	tgytutrc8505.exe
Token: SeRestorePrivilege	1912	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	1912	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	1912	tgytutrc8505.exe
Token: SeDebugPrivilege	2560	tgytutrc8505.exe
Token: SeBackupPrivilege	2560	tgytutrc8505.exe
Token: SeRestorePrivilege	2560	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	2560	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	2560	tgytutrc8505.exe
Token: SeDebugPrivilege	2552	tgytutrc8505.exe
Token: SeBackupPrivilege	2552	tgytutrc8505.exe
Token: SeRestorePrivilege	2552	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	2552	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	2552	tgytutrc8505.exe
Token: SeDebugPrivilege	4060	tgytutrc8505.exe
Token: SeBackupPrivilege	4060	tgytutrc8505.exe
Token: SeRestorePrivilege	4060	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	4060	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	4060	tgytutrc8505.exe
Token: SeDebugPrivilege	668	tgytutrc8505.exe
Token: SeBackupPrivilege	668	tgytutrc8505.exe
Token: SeRestorePrivilege	668	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	668	tgytutrc8505.exe
Token: SeCreateGlobalPrivilege	668	tgytutrc8505.exe
Token: SeDebugPrivilege	3476	tgytutrc8505.exe
Token: SeBackupPrivilege	3476	tgytutrc8505.exe
Token: SeRestorePrivilege	3476	tgytutrc8505.exe
Token: SeLockMemoryPrivilege	3476	tgytutrc8505.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3260	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe	56
PID 3704 wrote to memory of 3260	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe	56
PID 3704 wrote to memory of 3468	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe	58
PID 3704 wrote to memory of 3468	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe	58
PID 3704 wrote to memory of 3468	3704	6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe	58
PID 3468 wrote to memory of 1180	3468	tgytutrc8505.exe	63
PID 3468 wrote to memory of 1180	3468	tgytutrc8505.exe	63
PID 3468 wrote to memory of 3400	3468	tgytutrc8505.exe	62
PID 3468 wrote to memory of 3400	3468	tgytutrc8505.exe	62
PID 3468 wrote to memory of 1936	3468	tgytutrc8505.exe	61
PID 3468 wrote to memory of 1936	3468	tgytutrc8505.exe	61
PID 3468 wrote to memory of 1216	3468	tgytutrc8505.exe	60
PID 3468 wrote to memory of 1216	3468	tgytutrc8505.exe	60
PID 3468 wrote to memory of 2432	3468	tgytutrc8505.exe	59
PID 3468 wrote to memory of 2432	3468	tgytutrc8505.exe	59
PID 3468 wrote to memory of 756	3468	tgytutrc8505.exe	69
PID 3468 wrote to memory of 756	3468	tgytutrc8505.exe	69
PID 756 wrote to memory of 1824	756	net.exe	71
PID 756 wrote to memory of 1824	756	net.exe	71
PID 3468 wrote to memory of 2188	3468	tgytutrc8505.exe	72
PID 3468 wrote to memory of 2188	3468	tgytutrc8505.exe	72
PID 2188 wrote to memory of 2968	2188	net.exe	74
PID 2188 wrote to memory of 2968	2188	net.exe	74
PID 3468 wrote to memory of 2704	3468	tgytutrc8505.exe	77
PID 3468 wrote to memory of 2704	3468	tgytutrc8505.exe	77
PID 3468 wrote to memory of 2704	3468	tgytutrc8505.exe	77
PID 3468 wrote to memory of 2132	3468	tgytutrc8505.exe	76
PID 3468 wrote to memory of 2132	3468	tgytutrc8505.exe	76
PID 3468 wrote to memory of 2132	3468	tgytutrc8505.exe	76
PID 3468 wrote to memory of 3652	3468	tgytutrc8505.exe	75
PID 3468 wrote to memory of 3652	3468	tgytutrc8505.exe	75
PID 3468 wrote to memory of 3652	3468	tgytutrc8505.exe	75
PID 3468 wrote to memory of 3088	3468	tgytutrc8505.exe	80
PID 3468 wrote to memory of 3088	3468	tgytutrc8505.exe	80
PID 3468 wrote to memory of 3088	3468	tgytutrc8505.exe	80
PID 3468 wrote to memory of 428	3468	tgytutrc8505.exe	82
PID 3468 wrote to memory of 428	3468	tgytutrc8505.exe	82
PID 3468 wrote to memory of 428	3468	tgytutrc8505.exe	82
PID 3468 wrote to memory of 1912	3468	tgytutrc8505.exe	83
PID 3468 wrote to memory of 1912	3468	tgytutrc8505.exe	83
PID 3468 wrote to memory of 1912	3468	tgytutrc8505.exe	83
PID 3468 wrote to memory of 2560	3468	tgytutrc8505.exe	84
PID 3468 wrote to memory of 2560	3468	tgytutrc8505.exe	84
PID 3468 wrote to memory of 2560	3468	tgytutrc8505.exe	84
PID 3468 wrote to memory of 2552	3468	tgytutrc8505.exe	85
PID 3468 wrote to memory of 2552	3468	tgytutrc8505.exe	85
PID 3468 wrote to memory of 2552	3468	tgytutrc8505.exe	85
PID 3468 wrote to memory of 4060	3468	tgytutrc8505.exe	87
PID 3468 wrote to memory of 4060	3468	tgytutrc8505.exe	87
PID 3468 wrote to memory of 4060	3468	tgytutrc8505.exe	87
PID 3468 wrote to memory of 668	3468	tgytutrc8505.exe	88
PID 3468 wrote to memory of 668	3468	tgytutrc8505.exe	88
PID 3468 wrote to memory of 668	3468	tgytutrc8505.exe	88
PID 3468 wrote to memory of 3476	3468	tgytutrc8505.exe	89
PID 3468 wrote to memory of 3476	3468	tgytutrc8505.exe	89
PID 3468 wrote to memory of 3476	3468	tgytutrc8505.exe	89
PID 3468 wrote to memory of 3044	3468	tgytutrc8505.exe	90
PID 3468 wrote to memory of 3044	3468	tgytutrc8505.exe	90
PID 3468 wrote to memory of 3044	3468	tgytutrc8505.exe	90
PID 3468 wrote to memory of 3208	3468	tgytutrc8505.exe	94
PID 3468 wrote to memory of 3208	3468	tgytutrc8505.exe	94
PID 3468 wrote to memory of 3208	3468	tgytutrc8505.exe	94
PID 3468 wrote to memory of 1968	3468	tgytutrc8505.exe	95
PID 3468 wrote to memory of 1968	3468	tgytutrc8505.exe	95

C:\Users\Admin\AppData\Local\Temp\6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe
"C:\Users\Admin\AppData\Local\Temp\6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\6c9ffb9bf2075cf2f48f8c96afbbe83351835ebced6e16c1289d18db60a97bfb.exe C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:3260
- C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
  C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:2432
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1216
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1936
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:3400
- - C:\Windows\system32\logoff.exe
    C:\Windows\system32\logoff.exe 0
    3⤵
    PID:1180
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Admin HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin HuHuHUHoHo283283@dJD
      4⤵
      PID:1824
- - C:\Windows\system32\net.exe
    C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
      4⤵
      PID:2968
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2140
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:916
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:520
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3724
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:3524
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:844
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    - Drops file in Program Files directory
    PID:1096
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    PID:2552
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe
    C:\Users\Admin\AppData\Local\Temp\tgytutrc8505.exe -i SM-tgytutrc -s
    3⤵
    PID:3788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:1340

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads