Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 10:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe
-
Size
192KB
-
MD5
aff947a392882d6abeaa90330f647cd8
-
SHA1
f13f3cc8392466822894409344866064830203fd
-
SHA256
cafbd0fa597ec2d3a5380bed64c1248e6515337d1c296540c67b9b79c303df0c
-
SHA512
23eb4e922ca480654f60127d781f606320e99abbade517f161670f881a959d522198683fc08b26ba7316c2cfd371189474eed86363e91df487a2ca7d227026c5
-
SSDEEP
3072:xXtCcXcL97sQy5OKXyaF2WoykWJTm0AWWg84eGhRpRSd:xXMyYuT5OKiaFjowSF4bTSd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (65) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation acEAwwMc.exe -
Executes dropped EXE 2 IoCs
pid Process 2292 acEAwwMc.exe 2972 wggkAIQs.exe -
Loads dropped DLL 20 IoCs
pid Process 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\acEAwwMc.exe = "C:\\Users\\Admin\\QewYsYwA\\acEAwwMc.exe" 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wggkAIQs.exe = "C:\\ProgramData\\sOQcQQgk\\wggkAIQs.exe" 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\acEAwwMc.exe = "C:\\Users\\Admin\\QewYsYwA\\acEAwwMc.exe" acEAwwMc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wggkAIQs.exe = "C:\\ProgramData\\sOQcQQgk\\wggkAIQs.exe" wggkAIQs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMcccEME.exe = "C:\\Users\\Admin\\tkgYkAsg\\WMcccEME.exe" 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mWQEkgkk.exe = "C:\\ProgramData\\YugIUsgQ\\mWQEkgkk.exe" 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico acEAwwMc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1980 1472 WerFault.exe 574 1180 2712 WerFault.exe 573 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mWQEkgkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1508 reg.exe 1560 reg.exe 2452 reg.exe 464 reg.exe 2924 reg.exe 660 reg.exe 2568 reg.exe 944 reg.exe 2352 reg.exe 2152 reg.exe 2892 reg.exe 944 reg.exe 2748 reg.exe 3028 reg.exe 1724 reg.exe 1156 reg.exe 2920 reg.exe 1188 reg.exe 2084 reg.exe 1652 reg.exe 1044 reg.exe 1592 reg.exe 1952 reg.exe 2568 reg.exe 2452 reg.exe 1648 reg.exe 2416 reg.exe 1908 reg.exe 2620 reg.exe 620 reg.exe 3040 reg.exe 2364 reg.exe 1580 reg.exe 936 reg.exe 2404 reg.exe 1464 reg.exe 1648 reg.exe 352 reg.exe 1740 reg.exe 2896 reg.exe 592 reg.exe 2924 reg.exe 984 reg.exe 2600 reg.exe 2340 reg.exe 2432 reg.exe 2440 reg.exe 2424 reg.exe 868 reg.exe 2920 reg.exe 444 reg.exe 2876 reg.exe 1660 reg.exe 2792 reg.exe 2588 reg.exe 1612 reg.exe 1272 reg.exe 1420 reg.exe 1704 reg.exe 2132 reg.exe 2976 reg.exe 2716 reg.exe 1856 reg.exe 536 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2632 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2632 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 464 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 464 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2856 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2856 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1548 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1548 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2288 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2288 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1944 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1944 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2400 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2400 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2428 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2428 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1508 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1508 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2128 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2128 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2824 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2824 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 612 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 612 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1744 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1744 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1932 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1932 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1888 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1888 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 264 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 264 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1616 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1616 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1608 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1608 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2636 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2636 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1812 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1812 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2412 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2412 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 3016 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 3016 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1656 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1656 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1088 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1088 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 576 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 576 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2100 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2100 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1520 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1520 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1128 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 1128 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2640 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2640 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2644 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 2644 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2292 acEAwwMc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe 2292 acEAwwMc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2292 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 30 PID 2260 wrote to memory of 2292 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 30 PID 2260 wrote to memory of 2292 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 30 PID 2260 wrote to memory of 2292 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 30 PID 2260 wrote to memory of 2972 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 31 PID 2260 wrote to memory of 2972 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 31 PID 2260 wrote to memory of 2972 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 31 PID 2260 wrote to memory of 2972 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 31 PID 2260 wrote to memory of 768 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 32 PID 2260 wrote to memory of 768 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 32 PID 2260 wrote to memory of 768 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 32 PID 2260 wrote to memory of 768 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 32 PID 2260 wrote to memory of 3052 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 34 PID 2260 wrote to memory of 3052 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 34 PID 2260 wrote to memory of 3052 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 34 PID 2260 wrote to memory of 3052 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 34 PID 2260 wrote to memory of 2672 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 35 PID 2260 wrote to memory of 2672 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 35 PID 2260 wrote to memory of 2672 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 35 PID 2260 wrote to memory of 2672 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 35 PID 2260 wrote to memory of 1868 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 36 PID 2260 wrote to memory of 1868 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 36 PID 2260 wrote to memory of 1868 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 36 PID 2260 wrote to memory of 1868 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 36 PID 2260 wrote to memory of 2736 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 37 PID 2260 wrote to memory of 2736 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 37 PID 2260 wrote to memory of 2736 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 37 PID 2260 wrote to memory of 2736 2260 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 37 PID 768 wrote to memory of 2784 768 cmd.exe 38 PID 768 wrote to memory of 2784 768 cmd.exe 38 PID 768 wrote to memory of 2784 768 cmd.exe 38 PID 768 wrote to memory of 2784 768 cmd.exe 38 PID 2736 wrote to memory of 2844 2736 cmd.exe 43 PID 2736 wrote to memory of 2844 2736 cmd.exe 43 PID 2736 wrote to memory of 2844 2736 cmd.exe 43 PID 2736 wrote to memory of 2844 2736 cmd.exe 43 PID 2784 wrote to memory of 2644 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 44 PID 2784 wrote to memory of 2644 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 44 PID 2784 wrote to memory of 2644 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 44 PID 2784 wrote to memory of 2644 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 44 PID 2644 wrote to memory of 2632 2644 cmd.exe 47 PID 2644 wrote to memory of 2632 2644 cmd.exe 47 PID 2644 wrote to memory of 2632 2644 cmd.exe 47 PID 2644 wrote to memory of 2632 2644 cmd.exe 47 PID 2784 wrote to memory of 3040 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 46 PID 2784 wrote to memory of 3040 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 46 PID 2784 wrote to memory of 3040 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 46 PID 2784 wrote to memory of 3040 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 46 PID 2784 wrote to memory of 2344 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 48 PID 2784 wrote to memory of 2344 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 48 PID 2784 wrote to memory of 2344 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 48 PID 2784 wrote to memory of 2344 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 48 PID 2784 wrote to memory of 1356 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 49 PID 2784 wrote to memory of 1356 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 49 PID 2784 wrote to memory of 1356 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 49 PID 2784 wrote to memory of 1356 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 49 PID 2784 wrote to memory of 1088 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 50 PID 2784 wrote to memory of 1088 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 50 PID 2784 wrote to memory of 1088 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 50 PID 2784 wrote to memory of 1088 2784 2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe 50 PID 1088 wrote to memory of 2028 1088 cmd.exe 55 PID 1088 wrote to memory of 2028 1088 cmd.exe 55 PID 1088 wrote to memory of 2028 1088 cmd.exe 55 PID 1088 wrote to memory of 2028 1088 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\QewYsYwA\acEAwwMc.exe"C:\Users\Admin\QewYsYwA\acEAwwMc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2292
-
-
C:\ProgramData\sOQcQQgk\wggkAIQs.exe"C:\ProgramData\sOQcQQgk\wggkAIQs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2972
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"6⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:464 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"8⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"10⤵PID:1396
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"12⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"14⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"16⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"20⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"22⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"24⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"26⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:612 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"28⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"30⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"32⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1888 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"34⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:264 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"36⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"38⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"40⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"42⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"44⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"46⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"48⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"50⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"52⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:576 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"54⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"56⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"58⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"60⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2640 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"62⤵PID:2400
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"64⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock65⤵PID:2444
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"66⤵PID:2456
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock67⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"68⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock69⤵PID:2236
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"70⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock71⤵PID:2612
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"72⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock73⤵PID:2632
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"74⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock75⤵PID:1624
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"76⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock77⤵PID:2856
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"78⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock79⤵PID:2480
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"80⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock81⤵PID:828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"82⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock83⤵PID:1128
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"84⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock85⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"86⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock87⤵PID:1536
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"88⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock89⤵PID:2436
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"90⤵PID:472
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock91⤵
- Adds Run key to start application
PID:2528 -
C:\Users\Admin\tkgYkAsg\WMcccEME.exe"C:\Users\Admin\tkgYkAsg\WMcccEME.exe"92⤵PID:2712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 3693⤵
- Program crash
PID:1180
-
-
-
C:\ProgramData\YugIUsgQ\mWQEkgkk.exe"C:\ProgramData\YugIUsgQ\mWQEkgkk.exe"92⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 3693⤵
- Program crash
PID:1980
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"92⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock93⤵PID:2024
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"94⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock95⤵PID:1528
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock97⤵PID:1240
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"98⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock99⤵PID:2680
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"100⤵PID:284
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock101⤵PID:1816
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"102⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock103⤵PID:2844
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"104⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock105⤵PID:1696
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"106⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock107⤵PID:2984
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"108⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock109⤵
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"110⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock111⤵PID:328
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"112⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock113⤵PID:2012
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"114⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock115⤵PID:920
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"116⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock117⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"118⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock119⤵PID:2208
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock"120⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-13_aff947a392882d6abeaa90330f647cd8_virlock121⤵PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-