Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe
-
Size
239KB
-
MD5
0ea045ba653ff165fd4405dc782bf1d4
-
SHA1
1f43baf35d7eb10d2db104c8da643a4f1e953db4
-
SHA256
2cceb8b4ab66644270d945ffaef553e843bdc76dfdf0ad5ba563ec8c2c40c079
-
SHA512
d6f53d923018a7d5d720ca8c0c3be73bb910940d9d93c5766f98bb2de5d44522cf839c97d1ee9345288992ecdde6976d34e03da967a8d09db2f58edd492a7504
-
SSDEEP
3072:7suvt0qIUIP3TiNyHIlbr832XOEW6NDNxncKW6zlK6R76xJNeRek7/lmO5tGR0/y:7vGTiHODiAKW6zXIe17gx0/y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation XggosUsQ.exe -
Executes dropped EXE 2 IoCs
pid Process 3816 XggosUsQ.exe 3284 baoIMQAs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XggosUsQ.exe = "C:\\Users\\Admin\\ngEYQMQY\\XggosUsQ.exe" 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baoIMQAs.exe = "C:\\ProgramData\\CCgYYgAk\\baoIMQAs.exe" 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XggosUsQ.exe = "C:\\Users\\Admin\\ngEYQMQY\\XggosUsQ.exe" XggosUsQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\baoIMQAs.exe = "C:\\ProgramData\\CCgYYgAk\\baoIMQAs.exe" baoIMQAs.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eQAkQcoo.exe = "C:\\Users\\Admin\\YGoswEoY\\eQAkQcoo.exe" 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Veokogws.exe = "C:\\ProgramData\\qIgcssEE\\Veokogws.exe" 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe XggosUsQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe XggosUsQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2072 5100 WerFault.exe 442 3976 3292 WerFault.exe 443 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language baoIMQAs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 4032 reg.exe 3972 reg.exe 3416 reg.exe 1848 reg.exe 4848 reg.exe 1920 reg.exe 4292 reg.exe 2696 reg.exe 3148 reg.exe 5028 reg.exe 1888 reg.exe 2748 reg.exe 3692 reg.exe 2388 reg.exe 1700 reg.exe 3720 reg.exe 3176 reg.exe 4424 reg.exe 3604 reg.exe 4564 reg.exe 756 reg.exe 2292 reg.exe 2488 reg.exe 1380 reg.exe 4220 reg.exe 2348 reg.exe 1168 reg.exe 964 reg.exe 2580 reg.exe 3912 reg.exe 1304 reg.exe 1804 reg.exe 3468 reg.exe 3748 reg.exe 1908 reg.exe 1980 reg.exe 848 reg.exe 3604 reg.exe 4224 reg.exe 2108 reg.exe 3128 reg.exe 1172 reg.exe 3028 reg.exe 4136 reg.exe 3292 reg.exe 3004 reg.exe 3688 reg.exe 3888 reg.exe 1308 reg.exe 2064 reg.exe 1740 reg.exe 4044 reg.exe 5068 reg.exe 3564 reg.exe 3152 reg.exe 2108 reg.exe 2492 reg.exe 4424 reg.exe 3692 reg.exe 3720 reg.exe 3308 reg.exe 3212 reg.exe 3720 reg.exe 2308 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1060 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1060 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1060 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1060 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4116 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4116 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4116 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4116 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3680 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3680 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3680 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3680 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1088 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1088 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1088 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1088 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2292 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2292 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2292 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 2292 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4752 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4752 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4752 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4752 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4584 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4584 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4584 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4584 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3748 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3748 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3748 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 3748 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4612 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4612 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4612 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4612 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1464 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1464 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1464 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 1464 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 744 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 744 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 744 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 744 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4620 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4620 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4620 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4620 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4888 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4888 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4888 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 4888 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3816 XggosUsQ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe 3816 XggosUsQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3512 wrote to memory of 3816 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 85 PID 3512 wrote to memory of 3816 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 85 PID 3512 wrote to memory of 3816 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 85 PID 3512 wrote to memory of 3284 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 86 PID 3512 wrote to memory of 3284 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 86 PID 3512 wrote to memory of 3284 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 86 PID 3512 wrote to memory of 3316 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 87 PID 3512 wrote to memory of 3316 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 87 PID 3512 wrote to memory of 3316 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 87 PID 3316 wrote to memory of 3184 3316 cmd.exe 90 PID 3316 wrote to memory of 3184 3316 cmd.exe 90 PID 3316 wrote to memory of 3184 3316 cmd.exe 90 PID 3512 wrote to memory of 2180 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 91 PID 3512 wrote to memory of 2180 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 91 PID 3512 wrote to memory of 2180 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 91 PID 3512 wrote to memory of 4908 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 92 PID 3512 wrote to memory of 4908 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 92 PID 3512 wrote to memory of 4908 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 92 PID 3512 wrote to memory of 3196 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 93 PID 3512 wrote to memory of 3196 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 93 PID 3512 wrote to memory of 3196 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 93 PID 3512 wrote to memory of 4932 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 94 PID 3512 wrote to memory of 4932 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 94 PID 3512 wrote to memory of 4932 3512 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 94 PID 4932 wrote to memory of 1324 4932 cmd.exe 99 PID 4932 wrote to memory of 1324 4932 cmd.exe 99 PID 4932 wrote to memory of 1324 4932 cmd.exe 99 PID 3184 wrote to memory of 1312 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 100 PID 3184 wrote to memory of 1312 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 100 PID 3184 wrote to memory of 1312 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 100 PID 3184 wrote to memory of 2788 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 102 PID 3184 wrote to memory of 2788 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 102 PID 3184 wrote to memory of 2788 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 102 PID 3184 wrote to memory of 3016 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 103 PID 3184 wrote to memory of 3016 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 103 PID 3184 wrote to memory of 3016 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 103 PID 3184 wrote to memory of 3564 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 104 PID 3184 wrote to memory of 3564 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 104 PID 3184 wrote to memory of 3564 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 104 PID 3184 wrote to memory of 1544 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 105 PID 3184 wrote to memory of 1544 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 105 PID 3184 wrote to memory of 1544 3184 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 105 PID 1544 wrote to memory of 4408 1544 cmd.exe 110 PID 1544 wrote to memory of 4408 1544 cmd.exe 110 PID 1544 wrote to memory of 4408 1544 cmd.exe 110 PID 1312 wrote to memory of 1508 1312 cmd.exe 111 PID 1312 wrote to memory of 1508 1312 cmd.exe 111 PID 1312 wrote to memory of 1508 1312 cmd.exe 111 PID 1508 wrote to memory of 3648 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 113 PID 1508 wrote to memory of 3648 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 113 PID 1508 wrote to memory of 3648 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 113 PID 1508 wrote to memory of 3416 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 115 PID 1508 wrote to memory of 3416 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 115 PID 1508 wrote to memory of 3416 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 115 PID 1508 wrote to memory of 2492 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 116 PID 1508 wrote to memory of 2492 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 116 PID 1508 wrote to memory of 2492 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 116 PID 1508 wrote to memory of 1172 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 117 PID 1508 wrote to memory of 1172 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 117 PID 1508 wrote to memory of 1172 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 117 PID 1508 wrote to memory of 2748 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 118 PID 1508 wrote to memory of 2748 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 118 PID 1508 wrote to memory of 2748 1508 2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe 118 PID 3648 wrote to memory of 1060 3648 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\ngEYQMQY\XggosUsQ.exe"C:\Users\Admin\ngEYQMQY\XggosUsQ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3816
-
-
C:\ProgramData\CCgYYgAk\baoIMQAs.exe"C:\ProgramData\CCgYYgAk\baoIMQAs.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3284
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"8⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"10⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"12⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"14⤵PID:4756
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"16⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"18⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"20⤵PID:3132
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"22⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"24⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"26⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"28⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock29⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"30⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"32⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock33⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"34⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock35⤵PID:2476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"36⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock37⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"38⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock39⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"40⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock41⤵PID:3400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"42⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock43⤵PID:2756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"44⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock45⤵PID:2704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"46⤵
- System Location Discovery: System Language Discovery
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock47⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"48⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock49⤵PID:1008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"50⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock51⤵PID:3212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"52⤵PID:732
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock53⤵PID:460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"54⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock55⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"56⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock57⤵PID:4052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"58⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock59⤵
- Adds Run key to start application
PID:4724 -
C:\Users\Admin\YGoswEoY\eQAkQcoo.exe"C:\Users\Admin\YGoswEoY\eQAkQcoo.exe"60⤵PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 22461⤵
- Program crash
PID:2072
-
-
-
C:\ProgramData\qIgcssEE\Veokogws.exe"C:\ProgramData\qIgcssEE\Veokogws.exe"60⤵PID:3292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 22861⤵
- Program crash
PID:3976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"60⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock61⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"62⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock63⤵PID:688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"64⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock65⤵PID:2096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"66⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock67⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"68⤵PID:4408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock69⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"70⤵PID:3844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock71⤵PID:3908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"72⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock73⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"74⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock75⤵PID:3308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"76⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock77⤵PID:4292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"78⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock79⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"80⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock81⤵
- System Location Discovery: System Language Discovery
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"82⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock83⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"84⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock85⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"86⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock87⤵PID:4900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"88⤵PID:2488
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock89⤵PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"90⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock91⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"92⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock93⤵PID:744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"94⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock95⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"96⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock97⤵PID:1096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"98⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock99⤵PID:3888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"100⤵PID:828
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock101⤵PID:4808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"102⤵PID:3292
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock103⤵PID:5016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"104⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock105⤵PID:1564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"106⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock107⤵PID:4008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"108⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock109⤵PID:3176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"110⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock111⤵PID:3004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"112⤵PID:3976
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock113⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"114⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock115⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"116⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock117⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"118⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock119⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"120⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock121⤵PID:3688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_0ea045ba653ff165fd4405dc782bf1d4_virlock"122⤵PID:3592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-