Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08-08-2024 11:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Resource
win7-20240705-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe
-
Size
190KB
-
MD5
e9abc8025a9ead22032dd851ac7084b2
-
SHA1
f33271921b3645af0c584c3c71b82fc31f835754
-
SHA256
c02e1a73f36d717a7ad3aebdd64edb1b723d585138521c0a41ce019590bc3ce0
-
SHA512
a778a0bd89783b7c8bb273b800faa327e336b3ea95a0f7c52266ff2d056060d26999cb637d74ffadf596155455fed203dff6b926ade475ff5c296244bddba40b
-
SSDEEP
3072:qgWwh/4OjzH5yAdv2qTFVXF6xs8wy8NGrbw4mzOgcGtJG:X+8dbRzep3bwBOgcU
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\International\Geo\Nation XscsQAsE.exe -
Deletes itself 1 IoCs
pid Process 2352 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2404 XscsQAsE.exe 1764 quYQEQIE.exe -
Loads dropped DLL 20 IoCs
pid Process 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quYQEQIE.exe = "C:\\ProgramData\\FIQgosYI\\quYQEQIE.exe" quYQEQIE.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\UIwoIkQQ.exe = "C:\\Users\\Admin\\EqcQwUsE\\UIwoIkQQ.exe" 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IgIosUwE.exe = "C:\\ProgramData\\JgIQQMYA\\IgIosUwE.exe" 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\XscsQAsE.exe = "C:\\Users\\Admin\\vwkEcssg\\XscsQAsE.exe" 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quYQEQIE.exe = "C:\\ProgramData\\FIQgosYI\\quYQEQIE.exe" 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\XscsQAsE.exe = "C:\\Users\\Admin\\vwkEcssg\\XscsQAsE.exe" XscsQAsE.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico XscsQAsE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1168 1636 WerFault.exe 513 2544 2512 WerFault.exe 514 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2940 reg.exe 1244 reg.exe 2648 reg.exe 1520 reg.exe 1596 reg.exe 2328 reg.exe 696 reg.exe 2840 reg.exe 2540 reg.exe 892 reg.exe 2160 reg.exe 476 reg.exe 2224 reg.exe 2880 reg.exe 2280 reg.exe 1544 reg.exe 1272 reg.exe 880 reg.exe 1272 reg.exe 1600 reg.exe 476 reg.exe 2420 reg.exe 2340 reg.exe 1704 reg.exe 1872 reg.exe 628 reg.exe 1908 reg.exe 2676 reg.exe 2372 reg.exe 2436 reg.exe 2512 reg.exe 872 reg.exe 3068 reg.exe 2832 reg.exe 1932 reg.exe 2528 reg.exe 2740 reg.exe 3052 reg.exe 2592 reg.exe 960 reg.exe 2988 reg.exe 1104 reg.exe 1756 reg.exe 2740 reg.exe 2016 reg.exe 1396 reg.exe 772 reg.exe 2052 reg.exe 3016 reg.exe 2012 reg.exe 1636 reg.exe 1088 reg.exe 628 reg.exe 2000 reg.exe 1552 reg.exe 600 reg.exe 1760 reg.exe 1052 reg.exe 1752 reg.exe 3068 reg.exe 2080 reg.exe 2644 reg.exe 2616 reg.exe 2768 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2652 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2652 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2696 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2696 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2588 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2588 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 348 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 348 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1716 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1716 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2908 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2908 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2976 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2976 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1368 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1368 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 988 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 988 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 772 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 772 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2868 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2868 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1872 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1872 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1740 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1740 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1720 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1720 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2300 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2300 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1400 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1400 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2524 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2524 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2320 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2320 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2532 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2532 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1812 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1812 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1876 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1876 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1436 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1436 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1396 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1396 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2096 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2096 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1368 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1368 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2988 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2988 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1476 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 1476 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2548 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2548 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2840 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2840 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2332 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 2332 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2404 XscsQAsE.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe 2404 XscsQAsE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2404 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 30 PID 2408 wrote to memory of 2404 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 30 PID 2408 wrote to memory of 2404 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 30 PID 2408 wrote to memory of 2404 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 30 PID 2408 wrote to memory of 1764 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 31 PID 2408 wrote to memory of 1764 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 31 PID 2408 wrote to memory of 1764 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 31 PID 2408 wrote to memory of 1764 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 31 PID 2408 wrote to memory of 284 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 32 PID 2408 wrote to memory of 284 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 32 PID 2408 wrote to memory of 284 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 32 PID 2408 wrote to memory of 284 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 32 PID 284 wrote to memory of 2700 284 cmd.exe 34 PID 284 wrote to memory of 2700 284 cmd.exe 34 PID 284 wrote to memory of 2700 284 cmd.exe 34 PID 284 wrote to memory of 2700 284 cmd.exe 34 PID 2408 wrote to memory of 2220 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 35 PID 2408 wrote to memory of 2220 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 35 PID 2408 wrote to memory of 2220 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 35 PID 2408 wrote to memory of 2220 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 35 PID 2408 wrote to memory of 2272 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 36 PID 2408 wrote to memory of 2272 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 36 PID 2408 wrote to memory of 2272 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 36 PID 2408 wrote to memory of 2272 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 36 PID 2408 wrote to memory of 1636 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 37 PID 2408 wrote to memory of 1636 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 37 PID 2408 wrote to memory of 1636 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 37 PID 2408 wrote to memory of 1636 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 37 PID 2408 wrote to memory of 2876 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 38 PID 2408 wrote to memory of 2876 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 38 PID 2408 wrote to memory of 2876 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 38 PID 2408 wrote to memory of 2876 2408 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 38 PID 2876 wrote to memory of 2768 2876 cmd.exe 43 PID 2876 wrote to memory of 2768 2876 cmd.exe 43 PID 2876 wrote to memory of 2768 2876 cmd.exe 43 PID 2876 wrote to memory of 2768 2876 cmd.exe 43 PID 2700 wrote to memory of 2348 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 44 PID 2700 wrote to memory of 2348 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 44 PID 2700 wrote to memory of 2348 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 44 PID 2700 wrote to memory of 2348 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 44 PID 2348 wrote to memory of 2652 2348 cmd.exe 46 PID 2348 wrote to memory of 2652 2348 cmd.exe 46 PID 2348 wrote to memory of 2652 2348 cmd.exe 46 PID 2348 wrote to memory of 2652 2348 cmd.exe 46 PID 2700 wrote to memory of 1356 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 47 PID 2700 wrote to memory of 1356 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 47 PID 2700 wrote to memory of 1356 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 47 PID 2700 wrote to memory of 1356 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 47 PID 2700 wrote to memory of 2000 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 48 PID 2700 wrote to memory of 2000 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 48 PID 2700 wrote to memory of 2000 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 48 PID 2700 wrote to memory of 2000 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 48 PID 2700 wrote to memory of 1688 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 50 PID 2700 wrote to memory of 1688 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 50 PID 2700 wrote to memory of 1688 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 50 PID 2700 wrote to memory of 1688 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 50 PID 2700 wrote to memory of 1932 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 53 PID 2700 wrote to memory of 1932 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 53 PID 2700 wrote to memory of 1932 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 53 PID 2700 wrote to memory of 1932 2700 2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe 53 PID 1932 wrote to memory of 1624 1932 cmd.exe 55 PID 1932 wrote to memory of 1624 1932 cmd.exe 55 PID 1932 wrote to memory of 1624 1932 cmd.exe 55 PID 1932 wrote to memory of 1624 1932 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\vwkEcssg\XscsQAsE.exe"C:\Users\Admin\vwkEcssg\XscsQAsE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2404
-
-
C:\ProgramData\FIQgosYI\quYQEQIE.exe"C:\ProgramData\FIQgosYI\quYQEQIE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1764
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2652 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"6⤵PID:836
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"8⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"10⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:348 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"12⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"14⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"16⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock17⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2976 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"18⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"20⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"22⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:772 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"24⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"26⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1872 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"28⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"30⤵PID:544
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"32⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2300 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"34⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"36⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock37⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"38⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"40⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"42⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"44⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"46⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"48⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"50⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"52⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"54⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"56⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"58⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"60⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"62⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"64⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock65⤵PID:2696
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"66⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock67⤵PID:876
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"68⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock69⤵PID:2184
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"70⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock71⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"72⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock73⤵PID:2792
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"74⤵PID:1732
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock75⤵PID:2320
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"76⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock77⤵PID:628
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"78⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock79⤵PID:2752
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"80⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock81⤵
- Adds Run key to start application
PID:1888 -
C:\Users\Admin\EqcQwUsE\UIwoIkQQ.exe"C:\Users\Admin\EqcQwUsE\UIwoIkQQ.exe"82⤵PID:1636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 3683⤵
- Program crash
PID:1168
-
-
-
C:\ProgramData\JgIQQMYA\IgIosUwE.exe"C:\ProgramData\JgIQQMYA\IgIosUwE.exe"82⤵PID:2512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 3683⤵
- Program crash
PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"82⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock83⤵PID:1980
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"84⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock85⤵PID:1272
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"86⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock87⤵PID:2552
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"88⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock89⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"90⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock91⤵PID:1944
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"92⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock93⤵PID:3036
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"94⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock95⤵PID:1488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"96⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock97⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"98⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock99⤵PID:2400
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"100⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock101⤵PID:1584
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"102⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock103⤵PID:1076
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"104⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock105⤵PID:2944
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"106⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock107⤵PID:1556
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"108⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock109⤵PID:2416
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"110⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock111⤵PID:2940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"112⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock113⤵PID:296
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"114⤵
- System Location Discovery: System Language Discovery
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock115⤵PID:1128
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"116⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock117⤵PID:2508
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"118⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock119⤵PID:1544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock"120⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-08_e9abc8025a9ead22032dd851ac7084b2_virlock121⤵PID:1488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-