Loading ...

Analysis Report Lockergoga.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:117835
Start date:19.03.2019
Start time:15:37:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 18s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Lockergoga.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.rans.winEXE@219/62@0/0
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 79%
  • Number of executed functions: 81
  • Number of non-executed functions: 172
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Execution Graph export aborted for target tgytutrc1672.exe, PID 5116 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection11Masquerading1Input Capture21Network Share Discovery1Application Deployment SoftwareInput Capture21Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection11Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery22Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Lockergoga.exevirustotal: Detection: 42%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_0094A250
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A8E0 CryptReleaseContext,0_2_0094A8E0
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_0094A9B0
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A3B0 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_0094A3B0
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A780 CryptGenRandom,__CxxThrowException@8,0_2_0094A780
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A740 CryptReleaseContext,0_2_0094A740
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094A810 ReleaseMutex,CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_0094A810
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,5_2_0094A250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A8E0 CryptReleaseContext,5_2_0094A8E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,5_2_0094A9B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A3B0 CryptAcquireContextA,GetLastError,CryptReleaseContext,5_2_0094A3B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A780 CryptGenRandom,__CxxThrowException@8,5_2_0094A780
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A740 CryptReleaseContext,5_2_0094A740
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094A810 ReleaseMutex,CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,5_2_0094A810

Spreading:

barindex
Contains functionality to enumerate network sharesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00915250 NetUserEnum,NetApiBufferFree,NetApiBufferFree,5_2_00915250
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\Deleted\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00929970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,5_2_00929970

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: Lockergoga.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lockergoga.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lockergoga.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: Lockergoga.exeString found in binary or memory: https://sectigo.com/CPS0C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Lockergoga.exe, 00000000.00000002.6160113099.00000000013A0000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: tgytutrc1672.exe, 00000005.00000003.6557879165.000000000326C000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au3

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 161

System Summary:

barindex
Uses logoff.exe to logoff the current userShow sources
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0092A410: CreateFileW,DeviceIoControl,CloseHandle,0_2_0092A410
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5112:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4980:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009518800_2_00951880
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009540400_2_00954040
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009340600_2_00934060
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009281500_2_00928150
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009741590_2_00974159
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009A81660_2_009A8166
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009342E00_2_009342E0
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009344B00_2_009344B0
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0094C4350_2_0094C435
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_008F85B00_2_008F85B0
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009765510_2_00976551
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009387900_2_00938790
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0098E7960_2_0098E796
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009A28D90_2_009A28D9
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009848300_2_00984830
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009268400_2_00926840
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009549100_2_00954910
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009540405_2_00954040
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009340605_2_00934060
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009281505_2_00928150
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009A81665_2_009A8166
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009342E05_2_009342E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009344B05_2_009344B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094C4355_2_0094C435
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_008F85B05_2_008F85B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009765515_2_00976551
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009387905_2_00938790
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0098E7965_2_0098E796
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009A28D95_2_009A28D9
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009848305_2_00984830
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009268405_2_00926840
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009549105_2_00954910
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00946B105_2_00946B10
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00924CC05_2_00924CC0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00906CF05_2_00906CF0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0094B07A5_2_0094B07A
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009711D35_2_009711D3
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0099B2BE5_2_0099B2BE
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: String function: 0096DE0E appears 42 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: String function: 0096DE0E appears 41 times
Sample file is different than original file name gathered from version infoShow sources
Source: Lockergoga.exe, 00000000.00000001.6129069323.00000000009FB000.00000002.sdmpBinary or memory string: OriginalFilenametgytutrcB vs Lockergoga.exe
Source: Lockergoga.exeBinary or memory string: OriginalFilenametgytutrcB vs Lockergoga.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeSection loaded: wow64log.dll
Binary contains paths to development resourcesShow sources
Source: tgytutrc1672.exe, 00000005.00000002.7379210725.0000000000A90000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln4
Source: tgytutrc1672.exe, 00000005.00000002.7379210725.0000000000A90000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal68.rans.winEXE@219/62@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_008E1760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_008E1760
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_008E1760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_008E1760
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeFile created: C:\Users\Public\Desktop\README_LOCKED.txtJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Lockergoga.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Lockergoga.exevirustotal: Detection: 42%
Sample might require command line arguments (.Net)Show sources
Source: Lockergoga.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Lockergoga.exe 'C:\Users\user\Desktop\Lockergoga.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y 'C:\Users\user\Desktop\Lockergoga.exe' C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -m
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user 'user' HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s
Source: C:\Users\user\Desktop\Lockergoga.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y 'C:\Users\user\Desktop\Lockergoga.exe' C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exeJump to behavior
Source: C:\Users\user\Desktop\Lockergoga.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user 'user' HuHuHUHoHo283283@dJDJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: Lockergoga.exeStatic file information: File size 1268600 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Lockergoga.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Lockergoga.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: Lockergoga.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Lockergoga.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Lockergoga.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Lockergoga.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Lockergoga.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0097C820 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0097C820
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0096E186 push ecx; ret 0_2_0096E199
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0096E186 push ecx; ret 5_2_0096E199
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 27_2_01211854 pushfd ; iretd 27_2_01211855

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeFile created: C:\Users\Public\Desktop\README_LOCKED.txtJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directoryShow sources
Source: c:\users\user\desktop\lockergoga.exeFile moved: C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exeTHJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\Deleted\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeAPI coverage: 6.0 %
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00929970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,5_2_00929970
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_008D1280 GetSystemInfo,0_2_008D1280
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: logoff.exe, 00000006.00000002.6172875793.00000260FEDB0000.00000002.sdmp, logoff.exe, 00000007.00000002.6171959614.00000273A6260000.00000002.sdmp, logoff.exe, 00000009.00000002.6173887178.000001EACDF80000.00000002.sdmp, logoff.exe, 0000000D.00000002.6178882523.000001B8E1A10000.00000002.sdmp, logoff.exe, 0000000E.00000002.6179518411.000001F752490000.00000002.sdmp, tgytutrc1672.exe, 00000018.00000002.6473622964.0000000003120000.00000002.sdmp, tgytutrc1672.exe, 00000019.00000002.6648114163.0000000002940000.00000002.sdmp, tgytutrc1672.exe, 0000001A.00000002.6504822877.0000000002D00000.00000002.sdmp, tgytutrc1672.exe, 0000001B.00000002.6528188838.0000000003410000.00000002.sdmp, tgytutrc1672.exe, 0000001C.00000002.6476703514.0000000003260000.00000002.sdmp, tgytutrc1672.exe, 0000001F.00000002.6631671136.00000000035F0000.00000002.sdmp, tgytutrc1672.exe, 00000022.00000002.6712375621.00000000029A0000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tgytutrc1672.exe, 00000022.00000003.6618054300.000000000014B000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: tgytutrc1672.exe, 00000005.00000002.7379210725.0000000000A90000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: tgytutrc1672.exe, 00000019.00000003.6541923212.000000000018B000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: tgytutrc1672.exe, 00000018.00000003.6370978704.000000000115B000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: tgytutrc1672.exe, 0000001F.00000002.6565070869.00000000014C0000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: tgytutrc1672.exeBinary or memory string: Hyper-V RAW
Source: logoff.exe, 00000006.00000002.6172875793.00000260FEDB0000.00000002.sdmp, logoff.exe, 00000007.00000002.6171959614.00000273A6260000.00000002.sdmp, logoff.exe, 00000009.00000002.6173887178.000001EACDF80000.00000002.sdmp, logoff.exe, 0000000D.00000002.6178882523.000001B8E1A10000.00000002.sdmp, logoff.exe, 0000000E.00000002.6179518411.000001F752490000.00000002.sdmp, tgytutrc1672.exe, 00000018.00000002.6473622964.0000000003120000.00000002.sdmp, tgytutrc1672.exe, 00000019.00000002.6648114163.0000000002940000.00000002.sdmp, tgytutrc1672.exe, 0000001A.00000002.6504822877.0000000002D00000.00000002.sdmp, tgytutrc1672.exe, 0000001B.00000002.6528188838.0000000003410000.00000002.sdmp, tgytutrc1672.exe, 0000001C.00000002.6476703514.0000000003260000.00000002.sdmp, tgytutrc1672.exe, 0000001F.00000002.6631671136.00000000035F0000.00000002.sdmp, tgytutrc1672.exe, 00000022.00000002.6712375621.00000000029A0000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: logoff.exe, 00000006.00000002.6172875793.00000260FEDB0000.00000002.sdmp, logoff.exe, 00000007.00000002.6171959614.00000273A6260000.00000002.sdmp, logoff.exe, 00000009.00000002.6173887178.000001EACDF80000.00000002.sdmp, logoff.exe, 0000000D.00000002.6178882523.000001B8E1A10000.00000002.sdmp, logoff.exe, 0000000E.00000002.6179518411.000001F752490000.00000002.sdmp, tgytutrc1672.exe, 00000018.00000002.6473622964.0000000003120000.00000002.sdmp, tgytutrc1672.exe, 00000019.00000002.6648114163.0000000002940000.00000002.sdmp, tgytutrc1672.exe, 0000001A.00000002.6504822877.0000000002D00000.00000002.sdmp, tgytutrc1672.exe, 0000001B.00000002.6528188838.0000000003410000.00000002.sdmp, tgytutrc1672.exe, 0000001C.00000002.6476703514.0000000003260000.00000002.sdmp, tgytutrc1672.exe, 0000001F.00000002.6631671136.00000000035F0000.00000002.sdmp, tgytutrc1672.exe, 00000022.00000002.6712375621.00000000029A0000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Lockergoga.exe, 00000000.00000003.6149694633.00000000013C6000.00000004.sdmp, tgytutrc1672.exe, 0000001B.00000002.6466416411.0000000001200000.00000004.sdmp, tgytutrc1672.exe, 0000001C.00000002.6430035811.0000000000A98000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: logoff.exe, 00000006.00000002.6172875793.00000260FEDB0000.00000002.sdmp, logoff.exe, 00000007.00000002.6171959614.00000273A6260000.00000002.sdmp, logoff.exe, 00000009.00000002.6173887178.000001EACDF80000.00000002.sdmp, logoff.exe, 0000000D.00000002.6178882523.000001B8E1A10000.00000002.sdmp, logoff.exe, 0000000E.00000002.6179518411.000001F752490000.00000002.sdmp, tgytutrc1672.exe, 00000018.00000002.6473622964.0000000003120000.00000002.sdmp, tgytutrc1672.exe, 00000019.00000002.6648114163.0000000002940000.00000002.sdmp, tgytutrc1672.exe, 0000001A.00000002.6504822877.0000000002D00000.00000002.sdmp, tgytutrc1672.exe, 0000001B.00000002.6528188838.0000000003410000.00000002.sdmp, tgytutrc1672.exe, 0000001C.00000002.6476703514.0000000003260000.00000002.sdmp, tgytutrc1672.exe, 0000001F.00000002.6631671136.00000000035F0000.00000002.sdmp, tgytutrc1672.exe, 00000022.00000002.6712375621.00000000029A0000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0096E1AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0096E1AB
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0097C820 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0097C820
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_009990D7 mov eax, dword ptr fs:[00000030h]5_2_009990D7
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_009147F0 ReleaseMutex,GetTickCount,EnumDependentServicesW,GetLastError,GetProcessHeap,HeapAlloc,EnumDependentServicesW,OpenServiceW,ControlService,Sleep,QueryServiceStatusEx,GetTickCount,@_EH4_CallFilterFunc@8,0_2_009147F0
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess token adjusted: Debug
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0096E1AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0096E1AB
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0096E1AB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0096E1AB
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0098F271 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0098F271

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y 'C:\Users\user\Desktop\Lockergoga.exe' C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exeJump to behavior
Source: C:\Users\user\Desktop\Lockergoga.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exe C:\Users\user~1\AppData\Local\Temp\tgytutrc1672.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user 'user' HuHuHUHoHo283283@dJDJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_00915690 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,LookupAccountSidW,FreeSid,5_2_00915690
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: tgytutrc1672.exe, 00000005.00000002.7395577584.0000000001710000.00000002.sdmpBinary or memory string: Program ManagerC
Source: tgytutrc1672.exe, 00000005.00000002.7395577584.0000000001710000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: tgytutrc1672.exe, 00000005.00000002.7395577584.0000000001710000.00000002.sdmpBinary or memory string: Progman

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_009A6A37
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_009A6A37
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: EnumSystemLocalesW,5_2_009A6CAF
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: EnumSystemLocalesW,5_2_009A6CFA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: GetLocaleInfoW,5_2_0096CCEE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: EnumSystemLocalesW,5_2_009A6D95
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: ___crtGetLocaleInfoEx,5_2_0096CDE7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: EnumSystemLocalesW,5_2_0099EE9B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_009A719B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\coffee.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.25426.0_x86__8wekyb3d8bbwe\vcomp140_app.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\ModularMusic\Classic_00\Classic_00.json VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\OUTRO_300px\OUTRO_300px.33.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Assets\Cursors\BrushCursor3.cur VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Data\StreamingAssets\10256_campfire_icon.bytes VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\SkuInterop.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Wallet_2.1.18009.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\INTRO_300px\INTRO_300px.109.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\PluginDownloadAnimation\Animate_in\Animate_in.76.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cash.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cake.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\brokenheart.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\34.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\WhatsNew.Store.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.25426.0_x64__8wekyb3d8bbwe\vcomp140.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.10671.0_x64__8wekyb3d8bbwe\DecoderAppService.winmd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\clap.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\call.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bow.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\resources.pri VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\4.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1805.1431.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.25426.0_x64__8wekyb3d8bbwe\vcruntime140.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.10671.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cat.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\blush.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bartlett.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\36.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\42.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\40.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Windows Photo Viewer\ImagingDevices.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.25426.0_x64__8wekyb3d8bbwe\vccorlib140.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\OUTRO_300px\OUTRO_300px.11.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-125.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Robmikh.CompositionSurfaceFactory.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bug.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\29.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bike.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bandit.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\41.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\37.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\38.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\32.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\30.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\27.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\20.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\39.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\35.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\25.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\22.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\18.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\16.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\15.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ul-oob.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\3.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\31.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\Resources\TopicPage\Images\playbutton.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\28.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\23.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angel.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\17.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\WinActivate.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\33.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\21.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\26.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\24.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angry.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\19.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Break.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Dec.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-125.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\SYSTEM\ole db\xmlrwbin.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\x-none.16\MasterDescriptor.x-none.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\customizations.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.proofing.msi.16.en-us.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Xbox.TCUI_1.11.29001.0_neutral_~_8wekyb3d8bbwe.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.ZuneVideo_10.18061.12711.0_x64__8wekyb3d8bbwe.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\91a5b4c7-29a8-ec80-4321-fbecea906705.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppRepository\Microsoft.SkypeApp_12.1815.210.0_neutral_~_kzf8qxf38zg5c.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.4_0\craw_background.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.4_0\craw_window.js VolumeInformation
Queries time zone informationShow sources
Source: C:\Windows\System32\net1.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation BiasJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0096E393 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0096E393
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Lockergoga.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: tgytutrc1672.exe, 00000005.00000002.7379210725.0000000000A90000.00000004.sdmpBinary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
Source: tgytutrc1672.exe, 00000005.00000002.7379210725.0000000000A90000.00000004.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe
Source: tgytutrc1672.exe, 00000005.00000002.7433638518.0000000003220000.00000004.sdmpBinary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1806.18062-0\MsMpEng.exe

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\Lockergoga.exeCode function: 0_2_0097E7B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_0097E7B8
Source: C:\Users\user\AppData\Local\Temp\tgytutrc1672.exeCode function: 5_2_0097E7B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,5_2_0097E7B8

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 117835 Sample: Lockergoga.exe Startdate: 19/03/2019 Architecture: WINDOWS Score: 68 47 Too many similar processes found 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Uses logoff.exe to logoff the current user 2->51 8 Lockergoga.exe 1 2->8         started        process3 signatures4 53 Writes a notice file (html or txt) to demand a ransom 8->53 11 tgytutrc1672.exe 8->11         started        14 cmd.exe 1 8->14         started        process5 signatures6 55 Writes a notice file (html or txt) to demand a ransom 11->55 16 tgytutrc1672.exe 11->16         started        19 net.exe 1 11->19         started        21 net.exe 1 11->21         started        25 15 other processes 11->25 57 Moves itself to temp directory 14->57 23 conhost.exe 14->23         started        process7 file8 43 C:\Users\Public\Desktop\README_LOCKED.txt, ASCII 16->43 dropped 27 conhost.exe 19->27         started        29 net1.exe 1 19->29         started        31 conhost.exe 21->31         started        33 net1.exe 1 21->33         started        45 C:\...\PhotoViewer.dll.mui.locked, DOS 25->45 dropped 35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        39 conhost.exe 25->39         started        41 2 other processes 25->41 process9

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Lockergoga.exe42%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.