Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2024, 16:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe
-
Size
140KB
-
MD5
ad7bb4d0b054545954fcdec26bf7bf7d
-
SHA1
bc046bf7bce6a468fbc1758c0bc726fef522e232
-
SHA256
3b91d82a5858cdecbb1a108570b061ddc81b79910f0e19c08e7a984c7f0c32b7
-
SHA512
0d2b3d3703cafaa334b7b1021e8f78e058633284d704cff0c9aafdcc2a234fb7034d06d3b827e3d112f9a20ca094fe641bf55989c303bf053f28078b36d46697
-
SSDEEP
3072:CBehCANLxmj42ycaA3NSUp7TndGfR89B+/2K4Ka:CBwj32ycaA3N/pc58v+/2K4Ka
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JSsoQQgM.exe -
Executes dropped EXE 2 IoCs
pid Process 3860 zkEQEokg.exe 548 JSsoQQgM.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkEQEokg.exe = "C:\\Users\\Admin\\iyYAIcgI\\zkEQEokg.exe" 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JSsoQQgM.exe = "C:\\ProgramData\\LEcYMYgU\\JSsoQQgM.exe" 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkEQEokg.exe = "C:\\Users\\Admin\\iyYAIcgI\\zkEQEokg.exe" zkEQEokg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JSsoQQgM.exe = "C:\\ProgramData\\LEcYMYgU\\JSsoQQgM.exe" JSsoQQgM.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe JSsoQQgM.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe JSsoQQgM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4196 reg.exe 2340 reg.exe 528 reg.exe 2184 reg.exe 4512 reg.exe 1308 reg.exe 4508 reg.exe 4496 reg.exe 4904 reg.exe 3224 reg.exe 3180 reg.exe 4004 reg.exe 2192 reg.exe 1632 reg.exe 3792 reg.exe 4716 reg.exe 3448 reg.exe 2160 reg.exe 2396 reg.exe 4384 reg.exe 4720 reg.exe 4352 reg.exe 4940 reg.exe 2276 reg.exe 3444 reg.exe 3164 reg.exe 4188 reg.exe 4508 reg.exe 2328 reg.exe 2276 reg.exe 3448 reg.exe 916 reg.exe 3248 reg.exe 1952 reg.exe 2192 reg.exe 4524 reg.exe 4660 reg.exe 2772 reg.exe 1016 reg.exe 4052 reg.exe 4460 Process not Found 832 reg.exe 3140 reg.exe 904 reg.exe 5096 reg.exe 3608 reg.exe 1972 reg.exe 4864 reg.exe 4920 reg.exe 2664 reg.exe 1824 reg.exe 368 reg.exe 3152 reg.exe 3408 reg.exe 1716 reg.exe 3328 reg.exe 4940 reg.exe 1996 reg.exe 1392 reg.exe 3460 reg.exe 316 reg.exe 2152 reg.exe 1720 Process not Found 4300 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4504 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4504 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4504 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4504 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4776 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4776 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4776 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4776 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4460 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4460 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4460 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4460 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1480 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1480 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1480 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1480 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3824 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3824 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3824 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3824 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1392 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1392 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1392 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1392 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4592 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4592 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4592 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4592 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3864 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3864 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3864 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 3864 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2456 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2456 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2456 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 2456 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1036 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1036 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1036 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 1036 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4856 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4856 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4856 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4856 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4404 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4404 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4404 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 4404 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 548 JSsoQQgM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe 548 JSsoQQgM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 3860 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 85 PID 2664 wrote to memory of 3860 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 85 PID 2664 wrote to memory of 3860 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 85 PID 2664 wrote to memory of 548 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 86 PID 2664 wrote to memory of 548 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 86 PID 2664 wrote to memory of 548 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 86 PID 2664 wrote to memory of 2568 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 87 PID 2664 wrote to memory of 2568 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 87 PID 2664 wrote to memory of 2568 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 87 PID 2568 wrote to memory of 4520 2568 cmd.exe 91 PID 2568 wrote to memory of 4520 2568 cmd.exe 91 PID 2568 wrote to memory of 4520 2568 cmd.exe 91 PID 2664 wrote to memory of 4036 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 90 PID 2664 wrote to memory of 4036 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 90 PID 2664 wrote to memory of 4036 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 90 PID 2664 wrote to memory of 5052 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 92 PID 2664 wrote to memory of 5052 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 92 PID 2664 wrote to memory of 5052 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 92 PID 2664 wrote to memory of 1556 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 93 PID 2664 wrote to memory of 1556 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 93 PID 2664 wrote to memory of 1556 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 93 PID 2664 wrote to memory of 4512 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 94 PID 2664 wrote to memory of 4512 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 94 PID 2664 wrote to memory of 4512 2664 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 94 PID 4512 wrote to memory of 3812 4512 cmd.exe 99 PID 4512 wrote to memory of 3812 4512 cmd.exe 99 PID 4512 wrote to memory of 3812 4512 cmd.exe 99 PID 4520 wrote to memory of 2316 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 100 PID 4520 wrote to memory of 2316 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 100 PID 4520 wrote to memory of 2316 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 100 PID 2316 wrote to memory of 5048 2316 cmd.exe 102 PID 2316 wrote to memory of 5048 2316 cmd.exe 102 PID 2316 wrote to memory of 5048 2316 cmd.exe 102 PID 4520 wrote to memory of 4876 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 103 PID 4520 wrote to memory of 4876 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 103 PID 4520 wrote to memory of 4876 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 103 PID 4520 wrote to memory of 4340 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 104 PID 4520 wrote to memory of 4340 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 104 PID 4520 wrote to memory of 4340 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 104 PID 4520 wrote to memory of 228 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 105 PID 4520 wrote to memory of 228 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 105 PID 4520 wrote to memory of 228 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 105 PID 4520 wrote to memory of 1940 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 106 PID 4520 wrote to memory of 1940 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 106 PID 4520 wrote to memory of 1940 4520 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 106 PID 1940 wrote to memory of 2940 1940 cmd.exe 111 PID 1940 wrote to memory of 2940 1940 cmd.exe 111 PID 1940 wrote to memory of 2940 1940 cmd.exe 111 PID 5048 wrote to memory of 528 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 112 PID 5048 wrote to memory of 528 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 112 PID 5048 wrote to memory of 528 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 112 PID 528 wrote to memory of 4504 528 cmd.exe 114 PID 528 wrote to memory of 4504 528 cmd.exe 114 PID 528 wrote to memory of 4504 528 cmd.exe 114 PID 5048 wrote to memory of 3408 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 115 PID 5048 wrote to memory of 3408 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 115 PID 5048 wrote to memory of 3408 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 115 PID 5048 wrote to memory of 1392 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 116 PID 5048 wrote to memory of 1392 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 116 PID 5048 wrote to memory of 1392 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 116 PID 5048 wrote to memory of 3684 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 117 PID 5048 wrote to memory of 3684 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 117 PID 5048 wrote to memory of 3684 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 117 PID 5048 wrote to memory of 3128 5048 2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\iyYAIcgI\zkEQEokg.exe"C:\Users\Admin\iyYAIcgI\zkEQEokg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3860
-
-
C:\ProgramData\LEcYMYgU\JSsoQQgM.exe"C:\ProgramData\LEcYMYgU\JSsoQQgM.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:548
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"8⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"10⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"12⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"14⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"16⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"18⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"20⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"22⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"24⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock25⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"26⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"28⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"30⤵PID:3012
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"32⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock33⤵PID:1516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"34⤵
- System Location Discovery: System Language Discovery
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock35⤵PID:2456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"36⤵PID:3000
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:4896
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock37⤵PID:832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"38⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock39⤵PID:1016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"40⤵PID:216
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock41⤵PID:1744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"42⤵PID:4996
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock43⤵PID:2404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"44⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock45⤵PID:4752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"46⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock47⤵PID:2324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"48⤵PID:408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV149⤵PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock49⤵PID:4692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"50⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock51⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"52⤵PID:2772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock53⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"54⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock55⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"56⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock57⤵PID:3940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"58⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock59⤵PID:4760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"60⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock61⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"62⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock63⤵PID:3948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"64⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock65⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"66⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock67⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"68⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock69⤵PID:2000
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"70⤵PID:1416
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock71⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"72⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock73⤵PID:1228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"74⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock75⤵PID:4032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"76⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock77⤵PID:2400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"78⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock79⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"80⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock81⤵PID:3180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"82⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock83⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"84⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock85⤵PID:4432
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"86⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock87⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"88⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock89⤵PID:3248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"90⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock91⤵PID:4720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"92⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock93⤵PID:1780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"94⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock95⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"96⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock97⤵PID:2300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"98⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock99⤵PID:3472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"100⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock101⤵PID:4528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"102⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock103⤵
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"104⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock105⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"106⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock107⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"108⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock109⤵PID:1728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"110⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock111⤵PID:3940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"112⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock113⤵PID:2152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"114⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock115⤵PID:3364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"116⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock117⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"118⤵
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock119⤵
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock"120⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-13_ad7bb4d0b054545954fcdec26bf7bf7d_virlock121⤵PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-