Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 16:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe
-
Size
211KB
-
MD5
305450caaf5602c1b950bb8a29ccc76c
-
SHA1
c234a74d251ef75d0d2f3e9955858f736ea4c54c
-
SHA256
c50dc8d77822382a07cfad62a25c1dc6c48efb02f6cba4c3152fab29f33533ff
-
SHA512
e9766d2b923164b52cb4bb5266d5e8b34c7035550122b401a08cbf1799669cf718bafbc80f4ea62fe8ea9b6db3413a80eb0a39d11edb8465b5c0b15fbf823541
-
SSDEEP
6144:rom6zra4Z4Nuq+Pd9b3odLjXIIesSwcEqo+DaZKn:r/6zra4Z4Nuq+Pd9b3odLj4pHwcEqo+b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (59) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation wEkAMogE.exe -
Deletes itself 1 IoCs
pid Process 856 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2684 MOIAQccQ.exe 2736 wEkAMogE.exe -
Loads dropped DLL 20 IoCs
pid Process 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wEkAMogE.exe = "C:\\ProgramData\\cmgcIcYE\\wEkAMogE.exe" 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wEkAMogE.exe = "C:\\ProgramData\\cmgcIcYE\\wEkAMogE.exe" wEkAMogE.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MOIAQccQ.exe = "C:\\Users\\Admin\\YcQAgEQc\\MOIAQccQ.exe" MOIAQccQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MOIAQccQ.exe = "C:\\Users\\Admin\\YcQAgEQc\\MOIAQccQ.exe" 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico wEkAMogE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2976 reg.exe 2584 reg.exe 2812 reg.exe 2060 reg.exe 2108 reg.exe 2704 reg.exe 2932 reg.exe 2552 reg.exe 2616 reg.exe 824 reg.exe 1768 reg.exe 2296 reg.exe 2576 reg.exe 2636 reg.exe 1580 reg.exe 2676 reg.exe 2732 reg.exe 320 reg.exe 2992 reg.exe 844 reg.exe 896 reg.exe 2500 reg.exe 3012 reg.exe 1772 reg.exe 772 reg.exe 2420 reg.exe 3064 reg.exe 1572 reg.exe 1076 reg.exe 2880 reg.exe 3028 reg.exe 1484 reg.exe 1040 reg.exe 856 reg.exe 700 reg.exe 316 reg.exe 396 reg.exe 2340 reg.exe 3060 reg.exe 2360 reg.exe 2416 reg.exe 2960 reg.exe 1044 reg.exe 1164 reg.exe 2292 reg.exe 2248 reg.exe 1268 reg.exe 2060 reg.exe 2400 reg.exe 1612 reg.exe 2460 reg.exe 3064 reg.exe 2636 reg.exe 2784 reg.exe 1752 reg.exe 2896 reg.exe 2500 reg.exe 528 reg.exe 1612 reg.exe 1416 reg.exe 2836 reg.exe 2732 reg.exe 2688 reg.exe 2480 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2420 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2420 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 636 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 636 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1324 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1324 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 608 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 608 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2972 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2972 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3056 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3056 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3068 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3068 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 380 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 380 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2152 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2152 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1620 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1620 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2664 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2664 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2928 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2928 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2868 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2868 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2248 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2248 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 856 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 856 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2172 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2172 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1708 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1708 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1232 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1232 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1860 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1860 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1736 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1736 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2784 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2784 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3060 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3060 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2108 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2108 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2036 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2036 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1860 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1860 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2572 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2572 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2524 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2524 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2928 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2928 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2736 wEkAMogE.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe 2736 wEkAMogE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2684 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 30 PID 2400 wrote to memory of 2684 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 30 PID 2400 wrote to memory of 2684 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 30 PID 2400 wrote to memory of 2684 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 30 PID 2400 wrote to memory of 2736 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 31 PID 2400 wrote to memory of 2736 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 31 PID 2400 wrote to memory of 2736 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 31 PID 2400 wrote to memory of 2736 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 31 PID 2400 wrote to memory of 2912 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 32 PID 2400 wrote to memory of 2912 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 32 PID 2400 wrote to memory of 2912 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 32 PID 2400 wrote to memory of 2912 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 32 PID 2912 wrote to memory of 2704 2912 cmd.exe 34 PID 2912 wrote to memory of 2704 2912 cmd.exe 34 PID 2912 wrote to memory of 2704 2912 cmd.exe 34 PID 2912 wrote to memory of 2704 2912 cmd.exe 34 PID 2400 wrote to memory of 2652 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 35 PID 2400 wrote to memory of 2652 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 35 PID 2400 wrote to memory of 2652 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 35 PID 2400 wrote to memory of 2652 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 35 PID 2400 wrote to memory of 2836 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 36 PID 2400 wrote to memory of 2836 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 36 PID 2400 wrote to memory of 2836 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 36 PID 2400 wrote to memory of 2836 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 36 PID 2400 wrote to memory of 2728 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 37 PID 2400 wrote to memory of 2728 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 37 PID 2400 wrote to memory of 2728 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 37 PID 2400 wrote to memory of 2728 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 37 PID 2400 wrote to memory of 2604 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 38 PID 2400 wrote to memory of 2604 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 38 PID 2400 wrote to memory of 2604 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 38 PID 2400 wrote to memory of 2604 2400 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 38 PID 2604 wrote to memory of 408 2604 cmd.exe 43 PID 2604 wrote to memory of 408 2604 cmd.exe 43 PID 2604 wrote to memory of 408 2604 cmd.exe 43 PID 2604 wrote to memory of 408 2604 cmd.exe 43 PID 2704 wrote to memory of 2980 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 44 PID 2704 wrote to memory of 2980 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 44 PID 2704 wrote to memory of 2980 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 44 PID 2704 wrote to memory of 2980 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 44 PID 2980 wrote to memory of 2420 2980 cmd.exe 46 PID 2980 wrote to memory of 2420 2980 cmd.exe 46 PID 2980 wrote to memory of 2420 2980 cmd.exe 46 PID 2980 wrote to memory of 2420 2980 cmd.exe 46 PID 2704 wrote to memory of 2796 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 47 PID 2704 wrote to memory of 2796 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 47 PID 2704 wrote to memory of 2796 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 47 PID 2704 wrote to memory of 2796 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 47 PID 2704 wrote to memory of 2116 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 48 PID 2704 wrote to memory of 2116 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 48 PID 2704 wrote to memory of 2116 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 48 PID 2704 wrote to memory of 2116 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 48 PID 2704 wrote to memory of 2788 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 50 PID 2704 wrote to memory of 2788 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 50 PID 2704 wrote to memory of 2788 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 50 PID 2704 wrote to memory of 2788 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 50 PID 2704 wrote to memory of 2944 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 51 PID 2704 wrote to memory of 2944 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 51 PID 2704 wrote to memory of 2944 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 51 PID 2704 wrote to memory of 2944 2704 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 51 PID 2944 wrote to memory of 2888 2944 cmd.exe 55 PID 2944 wrote to memory of 2888 2944 cmd.exe 55 PID 2944 wrote to memory of 2888 2944 cmd.exe 55 PID 2944 wrote to memory of 2888 2944 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\YcQAgEQc\MOIAQccQ.exe"C:\Users\Admin\YcQAgEQc\MOIAQccQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2684
-
-
C:\ProgramData\cmgcIcYE\wEkAMogE.exe"C:\ProgramData\cmgcIcYE\wEkAMogE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2736
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"6⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:636 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"8⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"10⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:608 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"12⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"14⤵PID:2584
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"16⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"18⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:380 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"20⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"22⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"24⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"26⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"28⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"30⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"32⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:856 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"34⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"36⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock37⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"38⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"40⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"42⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"44⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"46⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"48⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"50⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"52⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"54⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"56⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"58⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"60⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"62⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"64⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock65⤵PID:1924
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock67⤵PID:1240
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"68⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock69⤵PID:2152
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"70⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock71⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"72⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock73⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"74⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock75⤵PID:1348
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"76⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock77⤵PID:2508
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"78⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock79⤵PID:2876
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"80⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock81⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"82⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock83⤵PID:1688
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"84⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock85⤵PID:2996
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"86⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock87⤵PID:1328
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"88⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock89⤵PID:556
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"90⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock91⤵PID:1912
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"92⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock93⤵PID:608
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"94⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock95⤵PID:1952
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock97⤵PID:3056
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"98⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock99⤵PID:2440
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"100⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock101⤵PID:2248
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"102⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock103⤵PID:1468
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"104⤵PID:1080
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock105⤵PID:2408
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"106⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock107⤵PID:2836
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"108⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock109⤵PID:2300
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"110⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock111⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"112⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock113⤵PID:1476
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"114⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock115⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"116⤵
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock117⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"118⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock119⤵PID:1688
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"120⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock121⤵PID:2520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-