Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe
Resource
win7-20231215-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe
-
Size
117KB
-
MD5
4550fd554fda3dfc3c2a20bbd99af1de
-
SHA1
2116e299a68e4a0bb97ce02411f8ad845d3aab14
-
SHA256
e0ccc1d03884e09cc75a49cbfb12dce1113b495918614d2a289c5cb368193fa2
-
SHA512
9485fdefcad2a8173fe9d3cc9132c4c4c561ebf199e50c244b3efc51f7e689884bfb7de654b21763da2f6297cf0afe5febcaf9f3f0fe53050565977ba8f42cb5
-
SSDEEP
3072:KrJ5LcQ7R6asiYzw08pteq3YErOXhVEsJm:KP4Q7EauzvYzOXhfm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cscript.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Conhost.exe Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe -
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation DSokYYMU.exe -
Executes dropped EXE 2 IoCs
pid Process 1200 DSokYYMU.exe 1968 lkUEUwoU.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkUEUwoU.exe = "C:\\ProgramData\\vmEIUkIg\\lkUEUwoU.exe" lkUEUwoU.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aoAoYYgI.exe = "C:\\Users\\Admin\\QCsAccYM\\aoAoYYgI.exe" Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcUoEkIU.exe = "C:\\ProgramData\\RYEcEMwk\\wcUoEkIU.exe" Conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSokYYMU.exe = "C:\\Users\\Admin\\GkccMckM\\DSokYYMU.exe" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkUEUwoU.exe = "C:\\ProgramData\\vmEIUkIg\\lkUEUwoU.exe" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSokYYMU.exe = "C:\\Users\\Admin\\GkccMckM\\DSokYYMU.exe" DSokYYMU.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cscript.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe DSokYYMU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4864 3868 WerFault.exe 661 3032 4540 WerFault.exe 660 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 960 reg.exe 5064 reg.exe 4276 reg.exe 180 reg.exe 4508 reg.exe 3100 reg.exe 2140 reg.exe 3728 reg.exe 3436 reg.exe 544 reg.exe 2268 reg.exe 3588 reg.exe 3988 reg.exe 1456 reg.exe 3044 reg.exe 1652 reg.exe 864 reg.exe 3108 reg.exe 4632 reg.exe 2604 reg.exe 1896 reg.exe 3564 reg.exe 3224 reg.exe 232 reg.exe 3520 reg.exe 3048 reg.exe 4528 reg.exe 556 reg.exe 4928 reg.exe 4040 reg.exe 1332 reg.exe 3324 reg.exe 2272 reg.exe 1048 reg.exe 4688 reg.exe 1824 reg.exe 764 reg.exe 1260 reg.exe 1712 reg.exe 2892 reg.exe 2008 reg.exe 3572 reg.exe 556 reg.exe 2892 reg.exe 1192 reg.exe 3584 reg.exe 4744 reg.exe 448 reg.exe 1616 reg.exe 4620 reg.exe 3888 reg.exe 1840 reg.exe 2648 reg.exe 1484 reg.exe 3888 reg.exe 1048 reg.exe 648 reg.exe 4980 reg.exe 3436 reg.exe 1172 reg.exe 4572 reg.exe 4820 reg.exe 2008 reg.exe 2268 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2636 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2636 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2636 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2636 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1440 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1440 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1440 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1440 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4984 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4984 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4984 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4984 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1332 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1332 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1332 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 1332 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3448 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3448 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3448 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3448 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4660 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4660 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4660 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 4660 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3224 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3224 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3224 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3224 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3876 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3876 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3876 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3876 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2120 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2120 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2120 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2120 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3228 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3228 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3228 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3228 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3732 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3732 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3732 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3732 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3824 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3824 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3824 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 3824 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2908 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2908 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2908 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 2908 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1200 DSokYYMU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe 1200 DSokYYMU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 940 wrote to memory of 1200 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 86 PID 940 wrote to memory of 1200 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 86 PID 940 wrote to memory of 1200 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 86 PID 940 wrote to memory of 1968 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 87 PID 940 wrote to memory of 1968 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 87 PID 940 wrote to memory of 1968 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 87 PID 940 wrote to memory of 4740 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 88 PID 940 wrote to memory of 4740 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 88 PID 940 wrote to memory of 4740 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 88 PID 940 wrote to memory of 376 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 90 PID 940 wrote to memory of 376 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 90 PID 940 wrote to memory of 376 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 90 PID 940 wrote to memory of 3048 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 91 PID 940 wrote to memory of 3048 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 91 PID 940 wrote to memory of 3048 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 91 PID 940 wrote to memory of 648 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 92 PID 940 wrote to memory of 648 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 92 PID 940 wrote to memory of 648 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 92 PID 940 wrote to memory of 3184 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 93 PID 940 wrote to memory of 3184 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 93 PID 940 wrote to memory of 3184 940 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 93 PID 4740 wrote to memory of 2284 4740 cmd.exe 98 PID 4740 wrote to memory of 2284 4740 cmd.exe 98 PID 4740 wrote to memory of 2284 4740 cmd.exe 98 PID 3184 wrote to memory of 5060 3184 cmd.exe 99 PID 3184 wrote to memory of 5060 3184 cmd.exe 99 PID 3184 wrote to memory of 5060 3184 cmd.exe 99 PID 2284 wrote to memory of 3152 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 100 PID 2284 wrote to memory of 3152 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 100 PID 2284 wrote to memory of 3152 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 100 PID 2284 wrote to memory of 3900 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 102 PID 2284 wrote to memory of 3900 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 102 PID 2284 wrote to memory of 3900 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 102 PID 2284 wrote to memory of 1196 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 104 PID 2284 wrote to memory of 1196 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 104 PID 2284 wrote to memory of 1196 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 104 PID 2284 wrote to memory of 2512 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 103 PID 2284 wrote to memory of 2512 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 103 PID 2284 wrote to memory of 2512 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 103 PID 2284 wrote to memory of 5116 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 105 PID 2284 wrote to memory of 5116 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 105 PID 2284 wrote to memory of 5116 2284 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 105 PID 3152 wrote to memory of 1728 3152 cmd.exe 110 PID 3152 wrote to memory of 1728 3152 cmd.exe 110 PID 3152 wrote to memory of 1728 3152 cmd.exe 110 PID 5116 wrote to memory of 5004 5116 cmd.exe 111 PID 5116 wrote to memory of 5004 5116 cmd.exe 111 PID 5116 wrote to memory of 5004 5116 cmd.exe 111 PID 1728 wrote to memory of 2844 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 113 PID 1728 wrote to memory of 2844 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 113 PID 1728 wrote to memory of 2844 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 113 PID 2844 wrote to memory of 2636 2844 cmd.exe 115 PID 2844 wrote to memory of 2636 2844 cmd.exe 115 PID 2844 wrote to memory of 2636 2844 cmd.exe 115 PID 1728 wrote to memory of 3572 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 122 PID 1728 wrote to memory of 3572 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 122 PID 1728 wrote to memory of 3572 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 122 PID 1728 wrote to memory of 1616 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 121 PID 1728 wrote to memory of 1616 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 121 PID 1728 wrote to memory of 1616 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 121 PID 1728 wrote to memory of 4632 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 120 PID 1728 wrote to memory of 4632 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 120 PID 1728 wrote to memory of 4632 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 120 PID 1728 wrote to memory of 3556 1728 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe 116 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\GkccMckM\DSokYYMU.exe"C:\Users\Admin\GkccMckM\DSokYYMU.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1200
-
-
C:\ProgramData\vmEIUkIg\lkUEUwoU.exe"C:\ProgramData\vmEIUkIg\lkUEUwoU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"8⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"10⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"12⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"14⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"16⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"18⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"20⤵PID:3816
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"22⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"24⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"26⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"28⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"30⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"32⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock33⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"34⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock35⤵PID:748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"36⤵PID:4940
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock37⤵PID:2396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"38⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock39⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"40⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock41⤵PID:4496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"42⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock43⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"44⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock45⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"46⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock47⤵PID:2440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"48⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock49⤵PID:4040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"50⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock51⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"52⤵PID:3944
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock53⤵PID:3876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"54⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock55⤵PID:4668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"56⤵
- Modifies visibility of file extensions in Explorer
PID:4540 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock57⤵PID:4372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"58⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock59⤵PID:1752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"60⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock61⤵PID:1652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"62⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock63⤵PID:3896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"64⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock65⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"66⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock67⤵PID:1972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"68⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock69⤵PID:3768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"70⤵PID:1308
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock71⤵PID:3868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"72⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock73⤵PID:4820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"74⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock75⤵PID:1508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"76⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock77⤵PID:1220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"78⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock79⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"80⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock81⤵PID:4112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"82⤵PID:4580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV183⤵PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock83⤵
- Modifies visibility of file extensions in Explorer
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"84⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock85⤵PID:2224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"86⤵PID:5036
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock87⤵PID:3988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"88⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock89⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"90⤵PID:4112
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock91⤵PID:3480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"92⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock93⤵PID:2764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"94⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock95⤵PID:2924
-
C:\Users\Admin\QCsAccYM\aoAoYYgI.exe"C:\Users\Admin\QCsAccYM\aoAoYYgI.exe"96⤵PID:4540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 22497⤵
- Program crash
PID:3032
-
-
-
C:\ProgramData\RYEcEMwk\wcUoEkIU.exe"C:\ProgramData\RYEcEMwk\wcUoEkIU.exe"96⤵PID:3868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 22497⤵
- Program crash
PID:4864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"96⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock97⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"98⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock99⤵PID:5016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"100⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock101⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"102⤵PID:3148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1103⤵PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock103⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"104⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock105⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
PID:2044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"106⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock107⤵PID:3520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"108⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock109⤵PID:4128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"110⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock111⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"112⤵PID:228
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock113⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"114⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock115⤵PID:2876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"116⤵PID:4536
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock117⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"118⤵PID:3960
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock119⤵PID:2688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_4550fd554fda3dfc3c2a20bbd99af1de_virlock"120⤵PID:4588
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:3744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-