Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 10:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Resource
win7-20240704-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
16 signatures
150 seconds
General
-
Target
2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe
-
Size
191KB
-
MD5
270ed136d56c54fbfb1966632b078e73
-
SHA1
ac3844f6244e9526d4ac5767eafdc8164148df14
-
SHA256
8eb1341e2664ecc472650204fdcb53f928340d4c668715c7950871aecd109dca
-
SHA512
32d9740d6f8affe38af5db877a8005d3c380df36a23e38b6e131c37d533a1f84e12dc658ac23f72ef6bf8c970bfa2d070f70f98b8702567cf46fe5f213dde69a
-
SSDEEP
3072:RE9pPhTb7j4r4pQJUNpRXxBd6SsJ8TSZarF7bphNXB0d/bwx5RssBdxVqonXHxXT:RE9pP97j4r4cUNpRXxBd6SsJ8TSZaZ73
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation ZQYUwQYE.exe -
Deletes itself 1 IoCs
pid Process 808 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2240 ZQYUwQYE.exe 2108 dYwIwwkg.exe -
Loads dropped DLL 20 IoCs
pid Process 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe 2108 dYwIwwkg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZQYUwQYE.exe = "C:\\Users\\Admin\\OGkUIsIE\\ZQYUwQYE.exe" 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dYwIwwkg.exe = "C:\\ProgramData\\WWgEIEEc\\dYwIwwkg.exe" 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dYwIwwkg.exe = "C:\\ProgramData\\WWgEIEEc\\dYwIwwkg.exe" dYwIwwkg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZQYUwQYE.exe = "C:\\Users\\Admin\\OGkUIsIE\\ZQYUwQYE.exe" ZQYUwQYE.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico dYwIwwkg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZQYUwQYE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2608 reg.exe 2312 reg.exe 2356 reg.exe 2552 reg.exe 1644 reg.exe 1496 reg.exe 2368 reg.exe 2348 reg.exe 952 reg.exe 1972 reg.exe 2972 reg.exe 2296 reg.exe 1320 reg.exe 2888 reg.exe 1736 reg.exe 1492 reg.exe 2864 reg.exe 2144 reg.exe 1492 reg.exe 2260 reg.exe 2044 reg.exe 1104 reg.exe 2892 reg.exe 2844 reg.exe 1164 reg.exe 568 reg.exe 2476 reg.exe 1716 reg.exe 1036 reg.exe 2824 reg.exe 2432 reg.exe 432 reg.exe 2720 reg.exe 1104 reg.exe 2460 reg.exe 2104 reg.exe 2880 reg.exe 2604 reg.exe 3000 reg.exe 2340 reg.exe 1596 reg.exe 2728 reg.exe 2728 reg.exe 1692 reg.exe 1300 reg.exe 760 reg.exe 2276 reg.exe 2696 reg.exe 1812 reg.exe 2976 reg.exe 2292 reg.exe 2808 reg.exe 2984 reg.exe 1812 reg.exe 2700 reg.exe 2308 reg.exe 2032 reg.exe 2036 reg.exe 2524 reg.exe 2104 reg.exe 2980 reg.exe 556 reg.exe 1712 reg.exe 1764 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1488 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1488 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2620 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2620 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 812 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 812 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1320 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1320 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2196 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2196 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2784 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2784 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2956 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2956 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 3012 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 3012 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2020 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2020 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2316 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2316 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2760 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2760 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2484 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2484 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1048 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1048 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2080 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2080 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 280 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 280 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2096 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2096 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2756 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2756 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2068 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2068 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2920 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2920 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 684 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 684 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 760 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 760 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2972 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2972 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1016 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1016 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1808 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1808 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2620 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2620 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2552 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2552 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 812 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 812 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2356 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2356 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1264 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 1264 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2732 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 2732 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2240 ZQYUwQYE.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe 2240 ZQYUwQYE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2240 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 29 PID 2908 wrote to memory of 2240 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 29 PID 2908 wrote to memory of 2240 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 29 PID 2908 wrote to memory of 2240 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 29 PID 2908 wrote to memory of 2108 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 30 PID 2908 wrote to memory of 2108 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 30 PID 2908 wrote to memory of 2108 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 30 PID 2908 wrote to memory of 2108 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 30 PID 2908 wrote to memory of 2780 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 31 PID 2908 wrote to memory of 2780 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 31 PID 2908 wrote to memory of 2780 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 31 PID 2908 wrote to memory of 2780 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 31 PID 2908 wrote to memory of 2892 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 33 PID 2908 wrote to memory of 2892 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 33 PID 2908 wrote to memory of 2892 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 33 PID 2908 wrote to memory of 2892 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 33 PID 2908 wrote to memory of 2996 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 34 PID 2908 wrote to memory of 2996 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 34 PID 2908 wrote to memory of 2996 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 34 PID 2908 wrote to memory of 2996 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 34 PID 2908 wrote to memory of 2784 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 35 PID 2908 wrote to memory of 2784 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 35 PID 2908 wrote to memory of 2784 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 35 PID 2908 wrote to memory of 2784 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 35 PID 2908 wrote to memory of 2764 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 37 PID 2908 wrote to memory of 2764 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 37 PID 2908 wrote to memory of 2764 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 37 PID 2908 wrote to memory of 2764 2908 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 37 PID 2780 wrote to memory of 2656 2780 cmd.exe 41 PID 2780 wrote to memory of 2656 2780 cmd.exe 41 PID 2780 wrote to memory of 2656 2780 cmd.exe 41 PID 2780 wrote to memory of 2656 2780 cmd.exe 41 PID 2764 wrote to memory of 2704 2764 cmd.exe 42 PID 2764 wrote to memory of 2704 2764 cmd.exe 42 PID 2764 wrote to memory of 2704 2764 cmd.exe 42 PID 2764 wrote to memory of 2704 2764 cmd.exe 42 PID 2656 wrote to memory of 2612 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 43 PID 2656 wrote to memory of 2612 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 43 PID 2656 wrote to memory of 2612 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 43 PID 2656 wrote to memory of 2612 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 43 PID 2656 wrote to memory of 1692 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 45 PID 2656 wrote to memory of 1692 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 45 PID 2656 wrote to memory of 1692 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 45 PID 2656 wrote to memory of 1692 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 45 PID 2612 wrote to memory of 1488 2612 cmd.exe 46 PID 2612 wrote to memory of 1488 2612 cmd.exe 46 PID 2612 wrote to memory of 1488 2612 cmd.exe 46 PID 2612 wrote to memory of 1488 2612 cmd.exe 46 PID 2656 wrote to memory of 2344 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 47 PID 2656 wrote to memory of 2344 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 47 PID 2656 wrote to memory of 2344 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 47 PID 2656 wrote to memory of 2344 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 47 PID 2656 wrote to memory of 588 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 48 PID 2656 wrote to memory of 588 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 48 PID 2656 wrote to memory of 588 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 48 PID 2656 wrote to memory of 588 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 48 PID 2656 wrote to memory of 996 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 49 PID 2656 wrote to memory of 996 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 49 PID 2656 wrote to memory of 996 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 49 PID 2656 wrote to memory of 996 2656 2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe 49 PID 996 wrote to memory of 2032 996 cmd.exe 54 PID 996 wrote to memory of 2032 996 cmd.exe 54 PID 996 wrote to memory of 2032 996 cmd.exe 54 PID 996 wrote to memory of 2032 996 cmd.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\OGkUIsIE\ZQYUwQYE.exe"C:\Users\Admin\OGkUIsIE\ZQYUwQYE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2240
-
-
C:\ProgramData\WWgEIEEc\dYwIwwkg.exe"C:\ProgramData\WWgEIEEc\dYwIwwkg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:2108
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"6⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2620 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"8⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"10⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"12⤵PID:1808
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"14⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"16⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"20⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"22⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"24⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock25⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"26⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"28⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1048 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"30⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"32⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock33⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:280 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"34⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"36⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"38⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"40⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2920 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"42⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:684 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"44⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:760 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"46⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock47⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"48⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock49⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"50⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock51⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1808 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"52⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"54⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"56⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"58⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock59⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2356 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"60⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"62⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"64⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock65⤵PID:2024
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"66⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock67⤵PID:1932
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"68⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock69⤵PID:952
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"70⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock71⤵PID:2892
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"72⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock73⤵PID:2944
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"74⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock75⤵PID:2964
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"76⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock77⤵PID:884
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"78⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock79⤵PID:2272
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"80⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock81⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"82⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock83⤵PID:2052
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"84⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock85⤵PID:1608
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"86⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock87⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"88⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock89⤵PID:2916
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"90⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock91⤵PID:956
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"92⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock93⤵PID:684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"94⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock95⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"96⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock97⤵PID:2772
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"98⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock99⤵PID:2332
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"100⤵PID:1612
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock101⤵PID:2584
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"102⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock103⤵PID:2144
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"104⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock105⤵PID:2032
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"106⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock107⤵PID:2192
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"108⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock109⤵PID:1428
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"110⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock111⤵PID:1064
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"112⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock113⤵PID:956
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"114⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock115⤵PID:2208
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"116⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock117⤵PID:1180
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"118⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock119⤵PID:2764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock"120⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-05_270ed136d56c54fbfb1966632b078e73_virlock121⤵PID:2260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-