Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09/08/2024, 09:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Resource
win7-20240704-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe
-
Size
206KB
-
MD5
05d20461f13f59e0d898e1d34e023f5c
-
SHA1
6ebb248de86aca8ede20ff0e7811ca0e4d50a2fb
-
SHA256
974c10091ad320289f4bed8895fa0d2646e5fd0f2dbce3c1adc4f1f14f1b0102
-
SHA512
d82627e6092d949737adddf1538c1608cde6e80f97ae09797490124676555edc81db50eb23126573cef2620783a2c0cd6418834520adc53ead871bc27759cc8f
-
SSDEEP
3072:lSLjO5gXGxvV8znamLjtBfrDMtCpwDpiB3gNiQIhk/IuPoOa/MXYrUGOs5K617:lSLS2G+tTfr4U3gRIGgn/MXdNs7
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation XCQoYYgo.exe -
Deletes itself 1 IoCs
pid Process 2872 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1244 XCQoYYgo.exe 2044 heAAEwQs.exe -
Loads dropped DLL 20 IoCs
pid Process 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\XCQoYYgo.exe = "C:\\Users\\Admin\\uEgcMcYY\\XCQoYYgo.exe" 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\heAAEwQs.exe = "C:\\ProgramData\\OKEAIssI\\heAAEwQs.exe" 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\XCQoYYgo.exe = "C:\\Users\\Admin\\uEgcMcYY\\XCQoYYgo.exe" XCQoYYgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\heAAEwQs.exe = "C:\\ProgramData\\OKEAIssI\\heAAEwQs.exe" heAAEwQs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\hCskcYkQ.exe = "C:\\Users\\Admin\\nWwUAUAY\\hCskcYkQ.exe" 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\auswAoAw.exe = "C:\\ProgramData\\AqoAgcMQ\\auswAoAw.exe" 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico XCQoYYgo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2508 2656 WerFault.exe 1378 1736 1020 WerFault.exe 1380 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hCskcYkQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 888 reg.exe 2732 reg.exe 1500 reg.exe 2028 reg.exe 1716 reg.exe 688 reg.exe 1704 reg.exe 560 reg.exe 2892 reg.exe 1324 reg.exe 2080 reg.exe 2572 reg.exe 2140 reg.exe 524 reg.exe 3012 reg.exe 1620 reg.exe 2532 reg.exe 572 reg.exe 1020 reg.exe 276 reg.exe 1736 reg.exe 2968 reg.exe 2092 reg.exe 1148 reg.exe 2408 reg.exe 1488 reg.exe 3004 reg.exe 1204 reg.exe 2220 reg.exe 2876 reg.exe 2732 reg.exe 2652 reg.exe 704 reg.exe 236 reg.exe 2752 reg.exe 2868 reg.exe 1044 reg.exe 1508 reg.exe 2912 reg.exe 2532 reg.exe 2856 reg.exe 288 reg.exe 3052 reg.exe 848 reg.exe 1916 reg.exe 3012 reg.exe 108 reg.exe 1948 reg.exe 2680 reg.exe 2140 reg.exe 2500 reg.exe 324 reg.exe 2376 reg.exe 2352 reg.exe 2020 reg.exe 1840 reg.exe 1916 reg.exe 288 reg.exe 1948 reg.exe 1832 reg.exe 2104 reg.exe 872 reg.exe 1920 reg.exe 1776 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1572 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1572 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2416 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2416 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 288 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 288 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 3036 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 3036 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1284 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1284 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2552 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2552 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1548 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1548 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 516 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 516 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1948 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1948 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1972 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1972 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2828 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2828 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1540 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1540 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2648 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2648 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2020 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2020 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2220 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2220 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2900 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2900 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1616 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1616 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2368 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2368 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 964 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 964 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2104 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2104 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1956 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1956 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2960 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2960 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 320 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 320 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2420 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2420 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1380 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 1380 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2892 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2892 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2508 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2508 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2500 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 2500 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 880 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 880 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1244 XCQoYYgo.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe 1244 XCQoYYgo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1244 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 31 PID 1412 wrote to memory of 1244 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 31 PID 1412 wrote to memory of 1244 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 31 PID 1412 wrote to memory of 1244 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 31 PID 1412 wrote to memory of 2044 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 32 PID 1412 wrote to memory of 2044 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 32 PID 1412 wrote to memory of 2044 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 32 PID 1412 wrote to memory of 2044 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 32 PID 1412 wrote to memory of 2764 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 33 PID 1412 wrote to memory of 2764 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 33 PID 1412 wrote to memory of 2764 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 33 PID 1412 wrote to memory of 2764 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 33 PID 1412 wrote to memory of 2896 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 35 PID 1412 wrote to memory of 2896 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 35 PID 1412 wrote to memory of 2896 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 35 PID 1412 wrote to memory of 2896 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 35 PID 1412 wrote to memory of 2532 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 36 PID 1412 wrote to memory of 2532 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 36 PID 1412 wrote to memory of 2532 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 36 PID 1412 wrote to memory of 2532 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 36 PID 2764 wrote to memory of 2644 2764 cmd.exe 39 PID 2764 wrote to memory of 2644 2764 cmd.exe 39 PID 2764 wrote to memory of 2644 2764 cmd.exe 39 PID 2764 wrote to memory of 2644 2764 cmd.exe 39 PID 1412 wrote to memory of 2804 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 38 PID 1412 wrote to memory of 2804 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 38 PID 1412 wrote to memory of 2804 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 38 PID 1412 wrote to memory of 2804 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 38 PID 1412 wrote to memory of 2868 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 40 PID 1412 wrote to memory of 2868 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 40 PID 1412 wrote to memory of 2868 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 40 PID 1412 wrote to memory of 2868 1412 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 40 PID 2868 wrote to memory of 3000 2868 cmd.exe 44 PID 2868 wrote to memory of 3000 2868 cmd.exe 44 PID 2868 wrote to memory of 3000 2868 cmd.exe 44 PID 2868 wrote to memory of 3000 2868 cmd.exe 44 PID 2644 wrote to memory of 692 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 45 PID 2644 wrote to memory of 692 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 45 PID 2644 wrote to memory of 692 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 45 PID 2644 wrote to memory of 692 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 45 PID 692 wrote to memory of 1572 692 cmd.exe 47 PID 692 wrote to memory of 1572 692 cmd.exe 47 PID 692 wrote to memory of 1572 692 cmd.exe 47 PID 692 wrote to memory of 1572 692 cmd.exe 47 PID 2644 wrote to memory of 852 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 112 PID 2644 wrote to memory of 852 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 112 PID 2644 wrote to memory of 852 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 112 PID 2644 wrote to memory of 852 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 112 PID 2644 wrote to memory of 1548 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 120 PID 2644 wrote to memory of 1548 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 120 PID 2644 wrote to memory of 1548 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 120 PID 2644 wrote to memory of 1548 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 120 PID 2644 wrote to memory of 1684 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 123 PID 2644 wrote to memory of 1684 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 123 PID 2644 wrote to memory of 1684 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 123 PID 2644 wrote to memory of 1684 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 123 PID 2644 wrote to memory of 940 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 52 PID 2644 wrote to memory of 940 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 52 PID 2644 wrote to memory of 940 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 52 PID 2644 wrote to memory of 940 2644 2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe 52 PID 940 wrote to memory of 524 940 cmd.exe 56 PID 940 wrote to memory of 524 940 cmd.exe 56 PID 940 wrote to memory of 524 940 cmd.exe 56 PID 940 wrote to memory of 524 940 cmd.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\uEgcMcYY\XCQoYYgo.exe"C:\Users\Admin\uEgcMcYY\XCQoYYgo.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1244
-
-
C:\ProgramData\OKEAIssI\heAAEwQs.exe"C:\ProgramData\OKEAIssI\heAAEwQs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2044
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"6⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"8⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:288 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"10⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"12⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"14⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"16⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock17⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"18⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:516 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"20⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"22⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"24⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"26⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"28⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"30⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"32⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"34⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"36⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"38⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"40⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:964 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"42⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"44⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"46⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"48⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"50⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:320 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"52⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"54⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"56⤵PID:1412
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"58⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2508 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"60⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"62⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"64⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock65⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"66⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock67⤵PID:1204
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"68⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock69⤵PID:572
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"70⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock71⤵PID:1956
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"72⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock73⤵PID:2848
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"74⤵PID:988
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock75⤵PID:2720
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"76⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock77⤵PID:1848
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"78⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock79⤵PID:2752
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"80⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock81⤵PID:1508
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"82⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock83⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"84⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock85⤵PID:2536
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"86⤵
- System Location Discovery: System Language Discovery
PID:324 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock87⤵PID:964
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"88⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock89⤵PID:844
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"90⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock91⤵PID:2552
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"92⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock93⤵PID:2644
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"94⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock95⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"96⤵PID:112
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock97⤵PID:1736
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"98⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock99⤵PID:1440
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"100⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock101⤵PID:872
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"102⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock103⤵PID:2604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"104⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock105⤵PID:1552
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"106⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock107⤵PID:1832
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"108⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock109⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"110⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock111⤵PID:2156
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"112⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock113⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"114⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock115⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"116⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock117⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"118⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock119⤵PID:1712
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock"120⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-08-09_05d20461f13f59e0d898e1d34e023f5c_virlock121⤵PID:1848
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-