Analysis Report LockerGogaRecent.exe

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	820532
Start date:	20.03.2019
Start time:	10:07:58
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 17m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LockerGogaRecent.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.phis.spyw.winEXE@99/123@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.1% (good quality ratio 2.9%) Quality average: 62% Quality standard deviation: 24.2%
HCA Information:	Successful, ratio: 81% Number of executed functions: 130 Number of non-executed functions: 192
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Max analysis timeout: 600s exceeded, the analysis took too long Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Remote Management	Winlogon Helper DLL	Process Injection1	Masquerading1	Credential Dumping	Network Share Discovery1	Application Deployment Software	Man in the Browser1	Data Compressed	Standard Cryptographic Protocol2
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Process Injection1	Network Sniffing	Process Discovery1	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Fallback Channels
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Obfuscated Files or Information2	Input Capture	Security Software Discovery31	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information	Credentials in Files	File and Directory Discovery11	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	System Information Discovery33	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: LockerGogaRecent.exe

Avira: Label: TR/LockerGoga.qnfzd

Multi AV Scanner detection for submitted file

Show sources

Source: LockerGogaRecent.exe	virustotal: Detection: 62%			Perma Link
Source: LockerGogaRecent.exe	metadefender: Detection: 21%			Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,	0_2_000CA250
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA8E0 CryptReleaseContext,	0_2_000CA8E0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,	0_2_000CA9B0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA3B0 CryptAcquireContextA,GetLastError,CryptReleaseContext,	0_2_000CA3B0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA740 CryptReleaseContext,	0_2_000CA740
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA780 CryptGenRandom,__CxxThrowException@8,	0_2_000CA780
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CA810 ReleaseMutex,CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,	0_2_000CA810
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,	23_2_000CA250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA810 ReleaseMutex,CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,	23_2_000CA810
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA8E0 CryptReleaseContext,	23_2_000CA8E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,	23_2_000CA9B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA3B0 CryptAcquireContextA,GetLastError,CryptReleaseContext,	23_2_000CA3B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA740 CryptReleaseContext,	23_2_000CA740
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CA780 CryptGenRandom,__CxxThrowException@8,	23_2_000CA780

Spreading:

Contains functionality to enumerate network shares

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00095250 NetUserEnum,NetApiBufferFree,NetApiBufferFree,		0_2_00095250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00095250 NetUserEnum,NetApiBufferFree,NetApiBufferFree,		23_2_00095250

Enumerates the file system

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Reader\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Esl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000A9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,	0_2_000A9970
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00124A3B FindFirstFileExA,	23_2_00124A3B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000A9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,	23_2_000A9970

Contains functionality to query local drives

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_0005CE90 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,

23_2_0005CE90

Networking:

Urls found in memory or binary data

Show sources

Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://clients1.google.com/ocsp0
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: LockerGogaRecent.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: LockerGogaRecent.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://g.symcd.com0
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: LockerGogaRecent.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://s2.symcb.com0k
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/rpa0)
Source: tgytutrc3979.exe, 00000022.00000003.2519870637.01D05000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: LockerGogaRecent.exe	String found in binary or memory: https://sectigo.com/CPS0C
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: tgytutrc3979.exe, 00000022.00000003.2524218394.01D1C000.00000004.sdmp	String found in binary or memory: https://www.geotrust.com/resources/repository0

Spam, unwanted Advertisements and Ransom Demands:

Detected LockerGoga Ransomware

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_0008FC60 GetDriveTypeW,ReleaseMutex,GetDriveTypeW,GetFileAttributesExW,RtlInitUnicodeString,NtOpenFile,NtReadFile,NtWriteFile,NtWriteFile,NtClose,

23_2_0008FC60

Detected suspicious e-Mail address in disassembly

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: DharmaParrack@protonmail.comwyattpettigrew8922555@mail.com		0_2_000913D0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: DharmaParrack@protonmail.comwyattpettigrew8922555@mail.com		23_2_000913D0

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File moved: C:\Users\user\Desktop\EWZCVGNOWT.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File moved: C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File moved: C:\Users\user\Desktop\EIVQSAOTAQ.docx
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File moved: C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File moved: C:\Users\user\Desktop\EWZCVGNOWT\JDDHMPCDUJ.xlsx	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com

DDoS:

Too many similar processes found

Show sources

Source: unknown

Process created: 48

System Summary:

Uses logoff.exe to logoff the current user

Show sources

Source: unknown

Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe

Abnormal high CPU Usage

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_0008FC60 GetDriveTypeW,ReleaseMutex,GetDriveTypeW,GetFileAttributesExW,RtlInitUnicodeString,NtOpenFile,NtReadFile,NtWriteFile,NtWriteFile,NtClose,

23_2_0008FC60

Contains functionality to communicate with device drivers

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_000AA410: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000AA410

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Mutant created: \Sessions\2\BaseNamedObjects\MX-tgytutrc

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000D1880	0_2_000D1880
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000B4060	0_2_000B4060
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CB07A	0_2_000CB07A
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000A8150	0_2_000A8150
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00128166	0_2_00128166
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_0011B2BE	0_2_0011B2BE
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000B42E0	0_2_000B42E0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CB422	0_2_000CB422
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CC435	0_2_000CC435
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000B44B0	0_2_000B44B0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000785B0	0_2_000785B0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000B7610	0_2_000B7610
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000D56F0	0_2_000D56F0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_0010E796	0_2_0010E796
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000B8790	0_2_000B8790
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_0009D7B0	0_2_0009D7B0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00104830	0_2_00104830
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000A6840	0_2_000A6840
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00067850	0_2_00067850
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00105A63	0_2_00105A63
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000D5AD0	0_2_000D5AD0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00115B00	0_2_00115B00
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000C6B10	0_2_000C6B10
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000C7BE0	0_2_000C7BE0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000A5C20	0_2_000A5C20
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_0008FC60	0_2_0008FC60
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000D3C80	0_2_000D3C80
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000A4CC0	0_2_000A4CC0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00086CF0	0_2_00086CF0
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000CBDC7	0_2_000CBDC7
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000B3E50	0_2_000B3E50
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000D3E60	0_2_000D3E60
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000D5F30	0_2_000D5F30
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00107FF7	0_2_00107FF7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000A8150	23_2_000A8150
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CC435	23_2_000CC435
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0009D7B0	23_2_0009D7B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D1880	23_2_000D1880
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0008FC60	23_2_0008FC60
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D4040	23_2_000D4040
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000B4060	23_2_000B4060
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000F4159	23_2_000F4159
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00128166	23_2_00128166
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000B42E0	23_2_000B42E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000B44B0	23_2_000B44B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000785B0	23_2_000785B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000B8790	23_2_000B8790
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00104830	23_2_00104830
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CC8CF	23_2_000CC8CF
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D4910	23_2_000D4910
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000A4CC0	23_2_000A4CC0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000F11D3	23_2_000F11D3
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D56F0	23_2_000D56F0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0011173B	23_2_0011173B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000F19B9	23_2_000F19B9
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00105A63	23_2_00105A63
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D5AD0	23_2_000D5AD0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00115B00	23_2_00115B00
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000A5C20	23_2_000A5C20
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00105DD5	23_2_00105DD5
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D5F30	23_2_000D5F30
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0010607F	23_2_0010607F
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00106346	23_2_00106346
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000F6551	23_2_000F6551
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00106601	23_2_00106601
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0010E796	23_2_0010E796
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000A6840	23_2_000A6840
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_001228D9	23_2_001228D9
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000DAA9B	23_2_000DAA9B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000C6B10	23_2_000C6B10
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00086CF0	23_2_00086CF0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CB07A	23_2_000CB07A
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CB087	23_2_000CB087
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0011B2BE	23_2_0011B2BE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CB422	23_2_000CB422
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000B7610	23_2_000B7610
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00067850	23_2_00067850
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000C7BE0	23_2_000C7BE0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000D3C80	23_2_000D3C80
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CBDC7	23_2_000CBDC7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000B3E50	23_2_000B3E50
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00107FF7	23_2_00107FF7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000CBFEB	23_2_000CBFEB

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: String function: 00064B00 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: String function: 000EE140 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: String function: 000EDE0E appears 163 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: String function: 000EDE42 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: String function: 000ED2D0 appears 59 times
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: String function: 00064B00 appears 43 times

Sample file is different than original file name gathered from version info

Show sources

Source: LockerGogaRecent.exe, 00000000.00000002.1665362832.0017B000.00000002.sdmp	Binary or memory string: OriginalFilenametgytutrcB vs LockerGogaRecent.exe
Source: LockerGogaRecent.exe	Binary or memory string: OriginalFilenametgytutrcB vs LockerGogaRecent.exe

Tries to load missing DLLs

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

Classification label

Show sources

Source: classification engine

Classification label: mal100.rans.phis.spyw.winEXE@99/123@0/0

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_00061760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		0_2_00061760
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00061760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		23_2_00061760

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_0005B450 CoCreateInstance,

0_2_0005B450

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

File created: C:\Users\Public\Desktop\README_LOCKED.txt

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V.KJ..%.(..(......%.......Ww..%.4...`.....,.....	Jump to behavior
Source: C:\Windows\System32\net1.exe	Console Write: ....................T.h.e. .c.o.m.m.a.n.d. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........O...4...J...........8...	Jump to behavior
Source: C:\Windows\System32\net1.exe	Console Write: ..........................0.................yO..........................e.s.s.f.u.l.l.y.........O...4.........#.........	Jump to behavior
Source: C:\Windows\System32\net1.exe	Console Write: ....................T.h.e. .c.o.m.m.a.n.d. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.......%.O.F.d.%.J...........8.G.	Jump to behavior
Source: C:\Windows\System32\net1.exe	Console Write: ..........................0..... ...l...8....Q..........................e.s.s.f.u.l.l.y.......%.O.F.d.%.....l...........	Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: LockerGogaRecent.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: LockerGogaRecent.exe	virustotal: Detection: 62%
Source: LockerGogaRecent.exe	metadefender: Detection: 21%

Sample might require command line arguments (.Net)

Show sources

Source: LockerGogaRecent.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\LockerGogaRecent.exe 'C:\Users\user\Desktop\LockerGogaRecent.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y C:\Users\user\Desktop\LockerGogaRecent.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -m
Source: unknown	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe
Source: unknown	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe
Source: unknown	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe
Source: unknown	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe
Source: unknown	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe
Source: unknown	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe
Source: unknown	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
Source: unknown	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
Source: unknown	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user user HuHuHUHoHo283283@dJD
Source: unknown	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user user HuHuHUHoHo283283@dJD
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y C:\Users\user\Desktop\LockerGogaRecent.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe	Jump to behavior
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -m	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user user HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user user HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user user HuHuHUHoHo283283@dJD	Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Submission file is bigger than most known malware samples

Show sources

Source: LockerGogaRecent.exe

Static file information: File size 1268600 > 1048576

PE file contains a mix of data directories often seen in goodware

Show sources

Source: LockerGogaRecent.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LockerGogaRecent.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LockerGogaRecent.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LockerGogaRecent.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LockerGogaRecent.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LockerGogaRecent.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: LockerGogaRecent.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: LockerGogaRecent.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Show sources

Source: LockerGogaRecent.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LockerGogaRecent.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LockerGogaRecent.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LockerGogaRecent.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LockerGogaRecent.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_000FC820 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

23_2_000FC820

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000EE186 push ecx; ret	0_2_000EE199
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000EDDD7 push ecx; ret	0_2_000EDDEA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000EDDD7 push ecx; ret	23_2_000EDDEA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000EE186 push ecx; ret	23_2_000EE199

Persistence and Installation Behavior:

Creates license or readme file

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

File created: C:\Users\Public\Desktop\README_LOCKED.txt

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Moves itself to temp directory

Show sources

Source: c:\users\user\desktop\lockergogarecent.exe

File moved: C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_000DAA9B GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

23_2_000DAA9B

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Enumerates the file system

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Reader\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Esl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Program Files\Adobe\Reader 11.0\Reader\AcroExt\locales\	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000A9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,	0_2_000A9970
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00124A3B FindFirstFileExA,	23_2_00124A3B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000A9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,	23_2_000A9970

Contains functionality to query local drives

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_0005CE90 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,

23_2_0005CE90

Contains functionality to query system information

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_00051280 GetSystemInfo,

0_2_00051280

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: LockerGogaRecent.exe, 00000000.00000002.1667079524.004E4000.00000004.sdmp

Binary or memory string: vmbusres.dll

Queries a list of all running processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_0010F271 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0010F271

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_000FC820 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

23_2_000FC820

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_001190D7 mov eax, dword ptr fs:[00000030h]		0_2_001190D7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_001190D7 mov eax, dword ptr fs:[00000030h]		23_2_001190D7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_000947F0 ReleaseMutex,GetTickCount,EnumDependentServicesW,GetLastError,GetProcessHeap,HeapAlloc,EnumDependentServicesW,OpenServiceW,ControlService,Sleep,QueryServiceStatusEx,GetTickCount,@_EH4_CallFilterFunc@8,

0_2_000947F0

Enables debug privileges

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process token adjusted: Debug

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_0010F271 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0010F271
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: 0_2_000EDEEA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000EDEEA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000EE33E SetUnhandledExceptionFilter,	23_2_000EE33E
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000EDEEA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_000EDEEA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000EE1AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000EE1AB
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_0010F271 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0010F271

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y C:\Users\user\Desktop\LockerGogaRecent.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe	Jump to behavior
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -m	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user user HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc3979.exe -i SM-tgytutrc -s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user user HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD	Jump to behavior
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user user HuHuHUHoHo283283@dJD	Jump to behavior

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_00051230 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

23_2_00051230

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_00095690 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,LookupAccountSidW,FreeSid,

0_2_00095690

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0012719B
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0012736F
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: GetLocaleInfoW,	0_2_0011F384
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00126A37
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: EnumSystemLocalesW,	0_2_00126CAF
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: EnumSystemLocalesW,	0_2_00126CFA
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: EnumSystemLocalesW,	0_2_00126D95
Source: C:\Users\user\Desktop\LockerGogaRecent.exe	Code function: EnumSystemLocalesW,	0_2_0011EE9B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetLocaleInfoW,	23_2_000ECCEE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: ___crtGetLocaleInfoEx,	23_2_000ECDE7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	23_2_00126A37
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: EnumSystemLocalesW,	23_2_00126CAF
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: EnumSystemLocalesW,	23_2_00126CFA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: EnumSystemLocalesW,	23_2_00126D95
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	23_2_00126E22
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: EnumSystemLocalesW,	23_2_0011EE9B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetLocaleInfoW,	23_2_00127072
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	23_2_0012719B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetLocaleInfoW,	23_2_001272A2
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	23_2_0012736F
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: GetLocaleInfoW,	23_2_0011F384

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_000ED8C3 cpuid

23_2_000ED8C3

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\IlsCache\ilrcache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000b.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\angular.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\JDDHMPCDUJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-latest.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\IlsCache\imcrcache.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows Mail\oeold.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\DUUDTUBZFW\DUUDTUBZFW.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Caches\{67D69890-D853-4011-A87E-AA64FA83CE5A}.2.ver0x0000000000000002.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2015-03-09.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\5516.1005.0.3_0\background_script.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Mozilla\updates\308046B0AF4A39CB\updates.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2011-04-08.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Caches\{86012F79-362C-43D2-98EF-AB58A0A31343}.2.ver0x0000000000000001.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\tasks.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP\ZGGKNSUKOP.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\KLIZUSIQEN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EWZCVGNOWT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\DUUDTUBZFW\ZGGKNSUKOP.pdf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EWZCVGNOWT\JDDHMPCDUJ.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\KLIZUSIQEN.xlsx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EWZCVGNOWT.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS\EOWRVPQCCS.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\NWCXBPIUYI.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ\KLIZUSIQEN.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\DUUDTUBZFW.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ\QCOILOQIKC.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\QCOILOQIKC.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS\GIGIYTFFYT.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP\KLIZUSIQEN.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\QCOILOQIKC.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\DUUDTUBZFW\EOWRVPQCCS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EWZCVGNOWT.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EOWRVPQCCS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ\EIVQSAOTAQ.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\JDDHMPCDUJ.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EWZCVGNOWT\NWCXBPIUYI.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS\EIVQSAOTAQ.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ\KLIZUSIQEN.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\KLIZUSIQEN.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\ZGGKNSUKOP\EWZCVGNOWT.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EWZCVGNOWT\JDDHMPCDUJ.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\GIGIYTFFYT.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EWZCVGNOWT\EWZCVGNOWT.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW\DUUDTUBZFW.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ\EIVQSAOTAQ.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EWZCVGNOWT\NWCXBPIUYI.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EIVQSAOTAQ\QCOILOQIKC.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Documents\EWZCVGNOWT\EWZCVGNOWT.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\NWCXBPIUYI.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EOWRVPQCCS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW\EOWRVPQCCS.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\Desktop\DUUDTUBZFW\ZGGKNSUKOP.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\opatchinstall(3).log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\WWINTL.DLL.trx_dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Roaming\.jre\bin\prism_sw.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Queries volume information: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE VolumeInformation

Queries time zone information

Show sources

Source: C:\Windows\System32\net1.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Code function: 0_2_000EE393 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000EE393

Contains functionality to query time zone information

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_0012447F _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

23_2_0012447F

Contains functionality to query windows version

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe

Code function: 23_2_000F3E94 GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

23_2_000F3E94

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\LockerGogaRecent.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE.locked

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cache2\entries\D85795856A15100A0C45C075CFB29C4FC314C2EE.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js.locked
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	File opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db.locked

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_00051400 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	23_2_00051400
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000520F0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	23_2_000520F0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000FE7B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	23_2_000FE7B8
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3979.exe	Code function: 23_2_000FF48A Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	23_2_000FF48A

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:10:07	API Interceptor	5907x Sleep call for process: LockerGogaRecent.exe modified
10:10:08	API Interceptor	12x Sleep call for process: tgytutrc3979.exe modified
10:10:08	API Interceptor	6x Sleep call for process: logoff.exe modified
10:10:09	API Interceptor	2x Sleep call for process: net1.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LockerGogaRecent.exe	62%	virustotal		Browse
LockerGogaRecent.exe	22%	metadefender		Browse
LockerGogaRecent.exe	100%	Avira	TR/LockerGoga.qnfzd

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report LockerGogaRecent.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails