Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
-
Size
239KB
-
MD5
0ea045ba653ff165fd4405dc782bf1d4
-
SHA1
1f43baf35d7eb10d2db104c8da643a4f1e953db4
-
SHA256
2cceb8b4ab66644270d945ffaef553e843bdc76dfdf0ad5ba563ec8c2c40c079
-
SHA512
d6f53d923018a7d5d720ca8c0c3be73bb910940d9d93c5766f98bb2de5d44522cf839c97d1ee9345288992ecdde6976d34e03da967a8d09db2f58edd492a7504
-
SSDEEP
3072:7suvt0qIUIP3TiNyHIlbr832XOEW6NDNxncKW6zlK6R76xJNeRek7/lmO5tGR0/y:7vGTiHODiAKW6zXIe17gx0/y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 63 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation tcAQAcsg.exe -
Deletes itself 1 IoCs
pid Process 2964 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 300 VogEAEwQ.exe 2392 tcAQAcsg.exe -
Loads dropped DLL 20 IoCs
pid Process 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcAQAcsg.exe = "C:\\ProgramData\\fasMQQEg\\tcAQAcsg.exe" tcAQAcsg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VogEAEwQ.exe = "C:\\Users\\Admin\\aEgkkcgg\\VogEAEwQ.exe" VogEAEwQ.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VogEAEwQ.exe = "C:\\Users\\Admin\\aEgkkcgg\\VogEAEwQ.exe" 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tcAQAcsg.exe = "C:\\ProgramData\\fasMQQEg\\tcAQAcsg.exe" 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico tcAQAcsg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tcAQAcsg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2024 reg.exe 2792 reg.exe 1564 reg.exe 448 reg.exe 2280 reg.exe 2892 reg.exe 2992 reg.exe 1044 reg.exe 2336 reg.exe 2276 reg.exe 3044 reg.exe 1616 reg.exe 3036 reg.exe 2860 reg.exe 2192 reg.exe 2852 reg.exe 1520 reg.exe 2332 reg.exe 2204 reg.exe 696 reg.exe 1484 reg.exe 2268 reg.exe 3008 reg.exe 2108 reg.exe 2376 reg.exe 2996 reg.exe 2440 reg.exe 2872 reg.exe 2192 reg.exe 2904 reg.exe 812 reg.exe 2200 reg.exe 2128 reg.exe 580 reg.exe 2892 reg.exe 2332 reg.exe 2700 reg.exe 2784 reg.exe 1368 reg.exe 2232 reg.exe 2040 reg.exe 2796 reg.exe 2344 reg.exe 2372 reg.exe 1124 reg.exe 2768 reg.exe 2368 reg.exe 2848 reg.exe 2372 reg.exe 1676 reg.exe 1564 reg.exe 2892 reg.exe 2440 reg.exe 2208 reg.exe 2056 reg.exe 1724 reg.exe 1824 reg.exe 2836 reg.exe 436 reg.exe 2712 reg.exe 2248 reg.exe 2792 reg.exe 2848 reg.exe 944 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 940 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 940 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1932 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1932 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2132 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2132 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1492 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1492 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1616 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1616 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2824 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2824 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2632 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2632 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1840 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1840 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2336 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2336 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2580 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2580 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1604 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1604 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2656 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2656 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 280 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 280 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2116 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2116 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3008 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3008 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2172 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2172 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1780 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1780 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1080 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1080 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2360 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2360 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2068 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2068 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2092 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2092 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2160 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2160 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1960 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1960 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2152 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2152 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1712 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1712 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2932 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2932 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2492 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2492 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1580 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1580 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2364 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2364 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2392 tcAQAcsg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe 2392 tcAQAcsg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 300 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 30 PID 2300 wrote to memory of 300 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 30 PID 2300 wrote to memory of 300 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 30 PID 2300 wrote to memory of 300 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 30 PID 2300 wrote to memory of 2392 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 31 PID 2300 wrote to memory of 2392 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 31 PID 2300 wrote to memory of 2392 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 31 PID 2300 wrote to memory of 2392 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 31 PID 2300 wrote to memory of 2944 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 32 PID 2300 wrote to memory of 2944 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 32 PID 2300 wrote to memory of 2944 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 32 PID 2300 wrote to memory of 2944 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 32 PID 2944 wrote to memory of 2808 2944 cmd.exe 34 PID 2944 wrote to memory of 2808 2944 cmd.exe 34 PID 2944 wrote to memory of 2808 2944 cmd.exe 34 PID 2944 wrote to memory of 2808 2944 cmd.exe 34 PID 2300 wrote to memory of 2784 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 35 PID 2300 wrote to memory of 2784 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 35 PID 2300 wrote to memory of 2784 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 35 PID 2300 wrote to memory of 2784 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 35 PID 2300 wrote to memory of 580 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 36 PID 2300 wrote to memory of 580 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 36 PID 2300 wrote to memory of 580 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 36 PID 2300 wrote to memory of 580 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 36 PID 2300 wrote to memory of 3048 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 38 PID 2300 wrote to memory of 3048 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 38 PID 2300 wrote to memory of 3048 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 38 PID 2300 wrote to memory of 3048 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 38 PID 2300 wrote to memory of 2680 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 39 PID 2300 wrote to memory of 2680 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 39 PID 2300 wrote to memory of 2680 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 39 PID 2300 wrote to memory of 2680 2300 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 39 PID 2680 wrote to memory of 2764 2680 cmd.exe 43 PID 2680 wrote to memory of 2764 2680 cmd.exe 43 PID 2680 wrote to memory of 2764 2680 cmd.exe 43 PID 2680 wrote to memory of 2764 2680 cmd.exe 43 PID 2808 wrote to memory of 1056 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 44 PID 2808 wrote to memory of 1056 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 44 PID 2808 wrote to memory of 1056 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 44 PID 2808 wrote to memory of 1056 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 44 PID 2808 wrote to memory of 2712 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 46 PID 2808 wrote to memory of 2712 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 46 PID 2808 wrote to memory of 2712 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 46 PID 2808 wrote to memory of 2712 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 46 PID 1056 wrote to memory of 940 1056 cmd.exe 47 PID 1056 wrote to memory of 940 1056 cmd.exe 47 PID 1056 wrote to memory of 940 1056 cmd.exe 47 PID 1056 wrote to memory of 940 1056 cmd.exe 47 PID 2808 wrote to memory of 1108 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 48 PID 2808 wrote to memory of 1108 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 48 PID 2808 wrote to memory of 1108 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 48 PID 2808 wrote to memory of 1108 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 48 PID 2808 wrote to memory of 2848 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 50 PID 2808 wrote to memory of 2848 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 50 PID 2808 wrote to memory of 2848 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 50 PID 2808 wrote to memory of 2848 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 50 PID 2808 wrote to memory of 2408 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 51 PID 2808 wrote to memory of 2408 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 51 PID 2808 wrote to memory of 2408 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 51 PID 2808 wrote to memory of 2408 2808 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 51 PID 2408 wrote to memory of 2868 2408 cmd.exe 54 PID 2408 wrote to memory of 2868 2408 cmd.exe 54 PID 2408 wrote to memory of 2868 2408 cmd.exe 54 PID 2408 wrote to memory of 2868 2408 cmd.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe"C:\Users\Admin\aEgkkcgg\VogEAEwQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:300
-
-
C:\ProgramData\fasMQQEg\tcAQAcsg.exe"C:\ProgramData\fasMQQEg\tcAQAcsg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2392
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:940 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"6⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"8⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"10⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"12⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"14⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"16⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"18⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"20⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"22⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock23⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"24⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"26⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"28⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock29⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:280 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"30⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"32⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"34⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"36⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"38⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"40⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"42⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"44⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock45⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"46⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"48⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock49⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"50⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:1960 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"52⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"54⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"56⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2932 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"58⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock59⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"60⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"62⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"64⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock65⤵PID:1624
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"66⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock67⤵PID:1532
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"68⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock69⤵PID:808
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"70⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock71⤵PID:2352
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"72⤵
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock73⤵PID:2252
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"74⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock75⤵PID:2244
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"76⤵PID:496
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock77⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"78⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock79⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"80⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock81⤵PID:1192
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"82⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock83⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"84⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock85⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"86⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock87⤵PID:3024
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"88⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock89⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"90⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock91⤵PID:552
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"92⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock93⤵PID:1180
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"94⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock95⤵PID:1560
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"96⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock97⤵PID:900
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"98⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock99⤵PID:3056
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"100⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock101⤵PID:2112
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"102⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock103⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"104⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock105⤵PID:2072
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"106⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock107⤵PID:2276
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"108⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock109⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"110⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock111⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"112⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock113⤵PID:2432
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"114⤵PID:3064
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock115⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"116⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock117⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"118⤵
- System Location Discovery: System Language Discovery
PID:812 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock119⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"120⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock121⤵PID:1936
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"122⤵PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-