lockergoga | 1c479a22f8c67aa1042d3f51d7b90e336fd025b0e8004bb1a34af067ff797fbe

Analysis

max time kernel
19s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a-9/crypto-locker-1.4.4.1-a9-Runtime/bin/encrypt-a9.exe
Size

1.2MB
MD5

f59c149db98488ac6b8d621a3d13aeb2
SHA1

1da2bd0c0864a2eb4fc43ca93c383e28f5ba461a
SHA256

6aa73f492b4dc52322ae8443a730c279c621a99dae4e8cb873c7a96dd4c6561f
SHA512

df8e731262c175d5a32ae5cfb8604813adae361c283c39464c9566377067fb1990466797495039d3e3a9d70324f05b47da17a2b92663cf0152321ac8634b6134
SSDEEP

24576:ieUKt2yozDn6ptlov1LGIsubFK7cjvzAwZDwisVTtk8TpQWK/:bUKthozDn6XlIFfjvz5SPTu8TpQz/

Score

10^/10

lockergoga banker ransomware trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: [email protected] [email protected]

Emails

[email protected]

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga
Renames multiple (353) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\content-types.properties	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\dt.jar	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jce.jar	gdeoimtf3914.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PenImc_cor3.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\java.security	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\javafx.properties	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\resource.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\COPYRIGHT	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\jvm.lib	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr\profile.jfc	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml	gdeoimtf3914.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\tzdb.dat	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\install.ins	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\bci.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\prism_sw.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\orb.idl	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\javaws.jar	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md	gdeoimtf3914.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\release	gdeoimtf3914.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4592	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
100	gdeoimtf3914.exe
100	gdeoimtf3914.exe
1956	gdeoimtf3914.exe
1956	gdeoimtf3914.exe
440	gdeoimtf3914.exe
440	gdeoimtf3914.exe
544	gdeoimtf3914.exe
544	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
2152	gdeoimtf3914.exe
2152	gdeoimtf3914.exe
2372	gdeoimtf3914.exe
2372	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
1956	gdeoimtf3914.exe
1956	gdeoimtf3914.exe
440	gdeoimtf3914.exe
440	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
2372	gdeoimtf3914.exe
2372	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
544	gdeoimtf3914.exe
544	gdeoimtf3914.exe
4628	gdeoimtf3914.exe
4628	gdeoimtf3914.exe
2372	gdeoimtf3914.exe
2372	gdeoimtf3914.exe
544	gdeoimtf3914.exe
544	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
4628	gdeoimtf3914.exe
4628	gdeoimtf3914.exe
100	gdeoimtf3914.exe
100	gdeoimtf3914.exe
440	gdeoimtf3914.exe
440	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
544	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
544	gdeoimtf3914.exe
100	gdeoimtf3914.exe
100	gdeoimtf3914.exe
2152	gdeoimtf3914.exe
2152	gdeoimtf3914.exe
2152	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
3104	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
1140	gdeoimtf3914.exe
2152	gdeoimtf3914.exe
100	gdeoimtf3914.exe
100	gdeoimtf3914.exe
544	gdeoimtf3914.exe
544	gdeoimtf3914.exe
440	gdeoimtf3914.exe
1956	gdeoimtf3914.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4504	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	encrypt-a9.exe
Token: SeBackupPrivilege	2136	encrypt-a9.exe
Token: SeRestorePrivilege	2136	encrypt-a9.exe
Token: SeLockMemoryPrivilege	2136	encrypt-a9.exe
Token: SeCreateGlobalPrivilege	2136	encrypt-a9.exe
Token: SeDebugPrivilege	1464	gdeoimtf3914.exe
Token: SeBackupPrivilege	1464	gdeoimtf3914.exe
Token: SeRestorePrivilege	1464	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	1464	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	1464	gdeoimtf3914.exe
Token: SeDebugPrivilege	100	gdeoimtf3914.exe
Token: SeDebugPrivilege	2152	gdeoimtf3914.exe
Token: SeBackupPrivilege	2152	gdeoimtf3914.exe
Token: SeBackupPrivilege	100	gdeoimtf3914.exe
Token: SeRestorePrivilege	2152	gdeoimtf3914.exe
Token: SeRestorePrivilege	100	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	2152	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	100	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	2152	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	100	gdeoimtf3914.exe
Token: SeDebugPrivilege	1140	gdeoimtf3914.exe
Token: SeBackupPrivilege	1140	gdeoimtf3914.exe
Token: SeDebugPrivilege	544	gdeoimtf3914.exe
Token: SeBackupPrivilege	544	gdeoimtf3914.exe
Token: SeRestorePrivilege	1140	gdeoimtf3914.exe
Token: SeRestorePrivilege	544	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	1140	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	544	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	1140	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	544	gdeoimtf3914.exe
Token: SeDebugPrivilege	3104	gdeoimtf3914.exe
Token: SeBackupPrivilege	3104	gdeoimtf3914.exe
Token: SeRestorePrivilege	3104	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	3104	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	3104	gdeoimtf3914.exe
Token: SeDebugPrivilege	1956	gdeoimtf3914.exe
Token: SeBackupPrivilege	1956	gdeoimtf3914.exe
Token: SeRestorePrivilege	1956	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	1956	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	1956	gdeoimtf3914.exe
Token: SeDebugPrivilege	2372	gdeoimtf3914.exe
Token: SeBackupPrivilege	2372	gdeoimtf3914.exe
Token: SeRestorePrivilege	2372	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	2372	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	2372	gdeoimtf3914.exe
Token: SeDebugPrivilege	4628	gdeoimtf3914.exe
Token: SeBackupPrivilege	4628	gdeoimtf3914.exe
Token: SeRestorePrivilege	4628	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	4628	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	4628	gdeoimtf3914.exe
Token: SeDebugPrivilege	440	gdeoimtf3914.exe
Token: SeBackupPrivilege	440	gdeoimtf3914.exe
Token: SeRestorePrivilege	440	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	440	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	440	gdeoimtf3914.exe
Token: SeDebugPrivilege	2572	gdeoimtf3914.exe
Token: SeBackupPrivilege	2572	gdeoimtf3914.exe
Token: SeRestorePrivilege	2572	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	2572	gdeoimtf3914.exe
Token: SeCreateGlobalPrivilege	2572	gdeoimtf3914.exe
Token: SeDebugPrivilege	2712	gdeoimtf3914.exe
Token: SeBackupPrivilege	2712	gdeoimtf3914.exe
Token: SeRestorePrivilege	2712	gdeoimtf3914.exe
Token: SeLockMemoryPrivilege	2712	gdeoimtf3914.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 4504	2136	encrypt-a9.exe	91
PID 2136 wrote to memory of 4504	2136	encrypt-a9.exe	91
PID 2136 wrote to memory of 1464	2136	encrypt-a9.exe	93
PID 2136 wrote to memory of 1464	2136	encrypt-a9.exe	93
PID 2136 wrote to memory of 1464	2136	encrypt-a9.exe	93
PID 1464 wrote to memory of 100	1464	gdeoimtf3914.exe	94
PID 1464 wrote to memory of 100	1464	gdeoimtf3914.exe	94
PID 1464 wrote to memory of 100	1464	gdeoimtf3914.exe	94
PID 1464 wrote to memory of 3104	1464	gdeoimtf3914.exe	95
PID 1464 wrote to memory of 3104	1464	gdeoimtf3914.exe	95
PID 1464 wrote to memory of 3104	1464	gdeoimtf3914.exe	95
PID 1464 wrote to memory of 2152	1464	gdeoimtf3914.exe	96
PID 1464 wrote to memory of 2152	1464	gdeoimtf3914.exe	96
PID 1464 wrote to memory of 2152	1464	gdeoimtf3914.exe	96
PID 1464 wrote to memory of 1140	1464	gdeoimtf3914.exe	97
PID 1464 wrote to memory of 1140	1464	gdeoimtf3914.exe	97
PID 1464 wrote to memory of 1140	1464	gdeoimtf3914.exe	97
PID 1464 wrote to memory of 4628	1464	gdeoimtf3914.exe	98
PID 1464 wrote to memory of 4628	1464	gdeoimtf3914.exe	98
PID 1464 wrote to memory of 4628	1464	gdeoimtf3914.exe	98
PID 1464 wrote to memory of 440	1464	gdeoimtf3914.exe	99
PID 1464 wrote to memory of 440	1464	gdeoimtf3914.exe	99
PID 1464 wrote to memory of 440	1464	gdeoimtf3914.exe	99
PID 1464 wrote to memory of 544	1464	gdeoimtf3914.exe	100
PID 1464 wrote to memory of 544	1464	gdeoimtf3914.exe	100
PID 1464 wrote to memory of 544	1464	gdeoimtf3914.exe	100
PID 1464 wrote to memory of 1956	1464	gdeoimtf3914.exe	101
PID 1464 wrote to memory of 1956	1464	gdeoimtf3914.exe	101
PID 1464 wrote to memory of 1956	1464	gdeoimtf3914.exe	101
PID 1464 wrote to memory of 2372	1464	gdeoimtf3914.exe	102
PID 1464 wrote to memory of 2372	1464	gdeoimtf3914.exe	102
PID 1464 wrote to memory of 2372	1464	gdeoimtf3914.exe	102
PID 1464 wrote to memory of 2572	1464	gdeoimtf3914.exe	105
PID 1464 wrote to memory of 2572	1464	gdeoimtf3914.exe	105
PID 1464 wrote to memory of 2572	1464	gdeoimtf3914.exe	105
PID 1464 wrote to memory of 2712	1464	gdeoimtf3914.exe	106
PID 1464 wrote to memory of 2712	1464	gdeoimtf3914.exe	106
PID 1464 wrote to memory of 2712	1464	gdeoimtf3914.exe	106
PID 1464 wrote to memory of 2464	1464	gdeoimtf3914.exe	107
PID 1464 wrote to memory of 2464	1464	gdeoimtf3914.exe	107
PID 1464 wrote to memory of 2464	1464	gdeoimtf3914.exe	107
PID 1464 wrote to memory of 4500	1464	gdeoimtf3914.exe	108
PID 1464 wrote to memory of 4500	1464	gdeoimtf3914.exe	108
PID 1464 wrote to memory of 4500	1464	gdeoimtf3914.exe	108
PID 1464 wrote to memory of 4460	1464	gdeoimtf3914.exe	109
PID 1464 wrote to memory of 4460	1464	gdeoimtf3914.exe	109
PID 1464 wrote to memory of 4460	1464	gdeoimtf3914.exe	109
PID 1464 wrote to memory of 2916	1464	gdeoimtf3914.exe	110
PID 1464 wrote to memory of 2916	1464	gdeoimtf3914.exe	110
PID 1464 wrote to memory of 2916	1464	gdeoimtf3914.exe	110
PID 1464 wrote to memory of 1736	1464	gdeoimtf3914.exe	111
PID 1464 wrote to memory of 1736	1464	gdeoimtf3914.exe	111
PID 1464 wrote to memory of 1736	1464	gdeoimtf3914.exe	111
PID 1464 wrote to memory of 1752	1464	gdeoimtf3914.exe	113
PID 1464 wrote to memory of 1752	1464	gdeoimtf3914.exe	113
PID 1464 wrote to memory of 1752	1464	gdeoimtf3914.exe	113
PID 1464 wrote to memory of 4804	1464	gdeoimtf3914.exe	114
PID 1464 wrote to memory of 4804	1464	gdeoimtf3914.exe	114
PID 1464 wrote to memory of 4804	1464	gdeoimtf3914.exe	114
PID 1464 wrote to memory of 4316	1464	gdeoimtf3914.exe	115
PID 1464 wrote to memory of 4316	1464	gdeoimtf3914.exe	115
PID 1464 wrote to memory of 4316	1464	gdeoimtf3914.exe	115
PID 1464 wrote to memory of 984	1464	gdeoimtf3914.exe	116
PID 1464 wrote to memory of 984	1464	gdeoimtf3914.exe	116

C:\Users\Admin\AppData\Local\Temp\a-9\crypto-locker-1.4.4.1-a9-Runtime\bin\encrypt-a9.exe
"C:\Users\Admin\AppData\Local\Temp\a-9\crypto-locker-1.4.4.1-a9-Runtime\bin\encrypt-a9.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\a-9\crypto-locker-1.4.4.1-a9-Runtime\bin\encrypt-a9.exe C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
  C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -m
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:100
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:4460
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:2916
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:1752
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:4316
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:984
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:1544
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:3608
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:4636
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:1048
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:3648
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    - Drops file in Program Files directory
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4332
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:872
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4024
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4872
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3176
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4852
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1436
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1460
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3344
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1348
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1132
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:5000
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3696
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3724
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:5044
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4960
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:676
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3912
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3848
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:648
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3768
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3528
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3944
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4784
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4480
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:100
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3680
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2944
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:228
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3264
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1128
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:888
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:780
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3336
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3612
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:3644
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2960
- - C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe
    C:\Users\Admin\AppData\Local\Temp\gdeoimtf3914.exe -i SM-gdeoimtf -s
    3⤵
    PID:2944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\README_LOCKED.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2436 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:932

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:2744
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:372
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  PID:5044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\README_LOCKED.txt

Filesize
1KB

MD5
d11a44c7867a95a49fcb5a00fd94399d

SHA1
4151d13fffbe8e739cf7e4a95a14fcbbe50f2a6d

SHA256
68a3c7c306de84ee1358e478330a2c25777a19293e8463a8227e239bc882ac04

SHA512
014ab2e1f3e8344b7fe6e872f8ba1fe88d8f673b1f7425e66e4c15cf6f15853b06359acc5eb1e84fbe7bd92ff3fd2ab7d4a8ce0b5a85e5391b9cfdea3a07b3f7

Download Submit
memory/2136-1-0x0000000000A70000-0x0000000000BA5000-memory.dmp

Filesize
1.2MB

Download