Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 03:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe
-
Size
117KB
-
MD5
9fac3e4225b3aaacbf2a59a2bcffba00
-
SHA1
252caef9b62150eee9a7d83db7d68f7355e62216
-
SHA256
c4ada8628f591a551e8d3eec090bedcab90c9cccaae9e641d8a57e80ab3cc307
-
SHA512
1489fbbf331476dc673791835f921f44f3cb5a2f37fb3762787927e3620a019645df9c9e23f0457b3aee8761966b8eb1d434fe2f718e0c7edabcfb5f44eb2d72
-
SSDEEP
1536:zcUhcQHa9YT9d4tl6xKYfx0CnMOYWzxbZKIM7URtQK2WxnnvV3gwyIDwo:zDLHZd4+KYf6CMOn7YK2SvVwID
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation twgscgwY.exe -
Executes dropped EXE 2 IoCs
pid Process 1840 twgscgwY.exe 2948 baUkQgQY.exe -
Loads dropped DLL 20 IoCs
pid Process 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe 2948 baUkQgQY.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\twgscgwY.exe = "C:\\Users\\Admin\\nGwEAkYo\\twgscgwY.exe" 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\baUkQgQY.exe = "C:\\ProgramData\\mcEwgMsU\\baUkQgQY.exe" 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\baUkQgQY.exe = "C:\\ProgramData\\mcEwgMsU\\baUkQgQY.exe" baUkQgQY.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\twgscgwY.exe = "C:\\Users\\Admin\\nGwEAkYo\\twgscgwY.exe" twgscgwY.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico baUkQgQY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1740 reg.exe 2008 reg.exe 1104 reg.exe 2652 reg.exe 2968 reg.exe 2708 reg.exe 1964 reg.exe 2432 reg.exe 2248 reg.exe 2932 reg.exe 1792 reg.exe 2400 reg.exe 484 reg.exe 2692 reg.exe 236 reg.exe 2640 reg.exe 2616 reg.exe 2144 reg.exe 2676 reg.exe 2992 reg.exe 2412 reg.exe 3020 reg.exe 2436 reg.exe 900 reg.exe 2320 reg.exe 2044 reg.exe 2836 reg.exe 1456 reg.exe 648 reg.exe 1532 reg.exe 2420 reg.exe 1876 reg.exe 2524 reg.exe 484 reg.exe 680 reg.exe 2600 reg.exe 1368 reg.exe 2532 reg.exe 1544 reg.exe 2156 reg.exe 2400 reg.exe 2624 reg.exe 2348 reg.exe 2144 reg.exe 984 reg.exe 2640 reg.exe 2068 reg.exe 536 reg.exe 2660 reg.exe 1948 reg.exe 2312 reg.exe 1932 reg.exe 2096 reg.exe 2740 reg.exe 1068 reg.exe 2932 reg.exe 1680 reg.exe 2476 reg.exe 1700 reg.exe 1572 reg.exe 1848 reg.exe 1104 reg.exe 2636 reg.exe 1884 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2592 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2592 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1568 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1568 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 408 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 408 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2496 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2496 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1500 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1500 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2696 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2696 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2340 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2340 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2008 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2008 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1568 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1568 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 3000 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 3000 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2724 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2724 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2732 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2732 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2308 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2308 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2436 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2436 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 620 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 620 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1864 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1864 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2944 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2944 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1604 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1604 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2096 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2096 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2424 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2424 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2400 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2400 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1548 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1548 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 592 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 592 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 696 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 696 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 236 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 236 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1940 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1940 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1544 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1544 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1260 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1260 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2768 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 2768 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1692 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 1692 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1840 twgscgwY.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe 1840 twgscgwY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1840 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 31 PID 2416 wrote to memory of 1840 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 31 PID 2416 wrote to memory of 1840 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 31 PID 2416 wrote to memory of 1840 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 31 PID 2416 wrote to memory of 2948 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 32 PID 2416 wrote to memory of 2948 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 32 PID 2416 wrote to memory of 2948 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 32 PID 2416 wrote to memory of 2948 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 32 PID 2416 wrote to memory of 2120 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 33 PID 2416 wrote to memory of 2120 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 33 PID 2416 wrote to memory of 2120 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 33 PID 2416 wrote to memory of 2120 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 33 PID 2120 wrote to memory of 3012 2120 cmd.exe 35 PID 2120 wrote to memory of 3012 2120 cmd.exe 35 PID 2120 wrote to memory of 3012 2120 cmd.exe 35 PID 2120 wrote to memory of 3012 2120 cmd.exe 35 PID 2416 wrote to memory of 2780 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 36 PID 2416 wrote to memory of 2780 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 36 PID 2416 wrote to memory of 2780 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 36 PID 2416 wrote to memory of 2780 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 36 PID 2416 wrote to memory of 2728 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 37 PID 2416 wrote to memory of 2728 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 37 PID 2416 wrote to memory of 2728 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 37 PID 2416 wrote to memory of 2728 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 37 PID 2416 wrote to memory of 2732 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 39 PID 2416 wrote to memory of 2732 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 39 PID 2416 wrote to memory of 2732 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 39 PID 2416 wrote to memory of 2732 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 39 PID 2416 wrote to memory of 2760 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 42 PID 2416 wrote to memory of 2760 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 42 PID 2416 wrote to memory of 2760 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 42 PID 2416 wrote to memory of 2760 2416 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 42 PID 2760 wrote to memory of 2576 2760 cmd.exe 44 PID 2760 wrote to memory of 2576 2760 cmd.exe 44 PID 2760 wrote to memory of 2576 2760 cmd.exe 44 PID 2760 wrote to memory of 2576 2760 cmd.exe 44 PID 3012 wrote to memory of 2620 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 45 PID 3012 wrote to memory of 2620 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 45 PID 3012 wrote to memory of 2620 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 45 PID 3012 wrote to memory of 2620 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 45 PID 2620 wrote to memory of 2592 2620 cmd.exe 47 PID 2620 wrote to memory of 2592 2620 cmd.exe 47 PID 2620 wrote to memory of 2592 2620 cmd.exe 47 PID 2620 wrote to memory of 2592 2620 cmd.exe 47 PID 3012 wrote to memory of 2400 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 48 PID 3012 wrote to memory of 2400 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 48 PID 3012 wrote to memory of 2400 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 48 PID 3012 wrote to memory of 2400 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 48 PID 3012 wrote to memory of 2932 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 49 PID 3012 wrote to memory of 2932 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 49 PID 3012 wrote to memory of 2932 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 49 PID 3012 wrote to memory of 2932 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 49 PID 3012 wrote to memory of 648 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 51 PID 3012 wrote to memory of 648 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 51 PID 3012 wrote to memory of 648 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 51 PID 3012 wrote to memory of 648 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 51 PID 3012 wrote to memory of 1788 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 53 PID 3012 wrote to memory of 1788 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 53 PID 3012 wrote to memory of 1788 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 53 PID 3012 wrote to memory of 1788 3012 2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe 53 PID 1788 wrote to memory of 872 1788 cmd.exe 56 PID 1788 wrote to memory of 872 1788 cmd.exe 56 PID 1788 wrote to memory of 872 1788 cmd.exe 56 PID 1788 wrote to memory of 872 1788 cmd.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\nGwEAkYo\twgscgwY.exe"C:\Users\Admin\nGwEAkYo\twgscgwY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1840
-
-
C:\ProgramData\mcEwgMsU\baUkQgQY.exe"C:\ProgramData\mcEwgMsU\baUkQgQY.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:2948
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"6⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"8⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:408 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"10⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"12⤵PID:2056
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"14⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"16⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock17⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"18⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"20⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"22⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"24⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"26⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"28⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"30⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock31⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"32⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:620 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"34⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"36⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"38⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"40⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"42⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"44⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"46⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"48⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:592 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"50⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock51⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:696 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"52⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:236 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"54⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"56⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"58⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"60⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"62⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"64⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock65⤵PID:1720
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock67⤵PID:912
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"68⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock69⤵PID:868
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"70⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock71⤵PID:1052
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"72⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock73⤵PID:2896
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"74⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock75⤵PID:620
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"76⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock77⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"78⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock79⤵
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"80⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock81⤵PID:2992
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"82⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock83⤵PID:2020
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"84⤵PID:328
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock85⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"86⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock87⤵PID:1680
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"88⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock89⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"90⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock91⤵PID:2060
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"92⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock93⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"94⤵
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock95⤵PID:2580
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"96⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock97⤵PID:1944
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"98⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock99⤵PID:2268
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"100⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock101⤵PID:2784
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"102⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock103⤵PID:2136
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"104⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock105⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"106⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock107⤵PID:1712
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"108⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock109⤵PID:2160
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"110⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock111⤵PID:2416
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"112⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock113⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"114⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock115⤵PID:1848
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"116⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock117⤵PID:2864
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"118⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock119⤵
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock"120⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-21_9fac3e4225b3aaacbf2a59a2bcffba00_virlock121⤵PID:2924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-