Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 11:40
Behavioral task
behavioral1
Sample
2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe
-
Size
149KB
-
MD5
abac5eabd200797739a3103b2f2d6655
-
SHA1
4a2cd5715a93c82e71af0494d80690b51a8d1edb
-
SHA256
0a948418020958101baed862d3f0f1d1db28567cc58a8b0b9a40d689aeb15e8f
-
SHA512
218b9f502e315bde2806f4f1cc303652c1105669322a39a9f533426022bdf46d7b08e5102a71f1b0b1d8ed52ceb966458574d186939b378426ef14d81eff8c07
-
SSDEEP
3072:JR2x2NfpfMeMyfWhPKnuXd/i3MJ9CLLBuWpMQQf2pcofer9mvK+:rKuo9hK8S3npT7Rfsmy
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/2200-0-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2200-19-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3868-20-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3868-34-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3484-31-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/228-42-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3484-46-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/228-57-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3564-70-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/220-71-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4028-79-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/220-83-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3172-91-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4028-95-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3172-106-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2752-116-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4564-120-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2752-131-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1756-132-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1448-140-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1756-144-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/448-152-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1448-156-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/448-169-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1104-170-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1104-181-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3616-189-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/5016-193-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3356-204-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3616-207-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3356-218-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4984-219-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2592-227-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4984-231-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4764-239-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2592-243-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4764-259-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2960-256-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2960-268-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2720-274-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2380-277-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2720-285-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4068-289-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/4068-296-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2576-304-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2844-312-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1648-313-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1648-323-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1448-324-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2680-329-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1448-333-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2480-339-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2680-342-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1908-347-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/2480-352-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1532-358-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1908-362-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1612-367-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1532-371-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3124-379-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1612-380-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3124-390-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/3616-398-0x0000000000400000-0x0000000000436000-memory.dmp UPX behavioral2/memory/1440-407-0x0000000000400000-0x0000000000436000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation ToIkAQoI.exe -
Executes dropped EXE 2 IoCs
pid Process 624 ToIkAQoI.exe 4136 uUkkwkgY.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2200-0-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2200-19-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3868-20-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3868-34-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3484-31-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/228-42-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3484-46-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/228-57-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3564-70-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/220-71-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4028-79-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/220-83-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3172-91-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4028-95-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3172-106-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2752-116-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4564-120-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2752-131-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1756-132-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1448-140-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1756-144-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/448-152-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1448-156-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/448-169-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1104-170-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1104-181-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3616-189-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/5016-193-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3356-204-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3616-207-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3356-218-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4984-219-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2592-227-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4984-231-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4764-239-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2592-243-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4764-259-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2960-256-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2960-268-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2720-274-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2380-277-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2720-285-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4068-289-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/4068-296-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2576-304-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2844-312-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1648-313-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1648-323-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1448-324-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2680-329-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1448-333-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2480-339-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2680-342-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1908-347-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/2480-352-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1532-358-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1908-362-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1612-367-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1532-371-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3124-379-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1612-380-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3124-390-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/3616-398-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral2/memory/1440-407-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ToIkAQoI.exe = "C:\\Users\\Admin\\fwIIgsko\\ToIkAQoI.exe" ToIkAQoI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uUkkwkgY.exe = "C:\\ProgramData\\pCAwYssQ\\uUkkwkgY.exe" uUkkwkgY.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ToIkAQoI.exe = "C:\\Users\\Admin\\fwIIgsko\\ToIkAQoI.exe" 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uUkkwkgY.exe = "C:\\ProgramData\\pCAwYssQ\\uUkkwkgY.exe" 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe ToIkAQoI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 1888 reg.exe 3240 reg.exe 2420 reg.exe 3368 reg.exe 3148 reg.exe 4720 reg.exe 748 reg.exe 1540 reg.exe 3744 reg.exe 3568 reg.exe 5040 Process not Found 4476 reg.exe 2420 reg.exe 2344 reg.exe 184 reg.exe 3752 Process not Found 3368 reg.exe 4372 reg.exe 1032 reg.exe 2232 reg.exe 4420 reg.exe 2392 reg.exe 4496 Process not Found 3312 reg.exe 244 reg.exe 4860 Process not Found 3296 reg.exe 3892 reg.exe 3892 reg.exe 1348 reg.exe 4920 reg.exe 4132 reg.exe 2932 reg.exe 4364 reg.exe 1036 reg.exe 640 reg.exe 2360 reg.exe 3048 reg.exe 4240 Process not Found 2980 reg.exe 3480 reg.exe 2664 reg.exe 2720 reg.exe 3280 reg.exe 4936 reg.exe 2084 Process not Found 5036 reg.exe 2876 reg.exe 3288 reg.exe 4348 reg.exe 3392 reg.exe 4476 reg.exe 4392 reg.exe 2272 reg.exe 4348 reg.exe 4200 reg.exe 2628 reg.exe 3148 reg.exe 4600 reg.exe 1756 reg.exe 2084 reg.exe 320 reg.exe 1052 reg.exe 3172 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 228 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 228 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 228 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 228 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 220 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 220 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 220 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 220 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4028 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4028 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4028 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4028 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3172 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3172 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3172 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3172 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 4564 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2752 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2752 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2752 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 2752 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1756 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1756 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1756 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1756 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 448 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1104 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1104 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1104 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 1104 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 5016 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 5016 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 5016 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 5016 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3616 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3616 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3616 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 3616 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 624 ToIkAQoI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe 624 ToIkAQoI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 624 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 90 PID 2200 wrote to memory of 624 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 90 PID 2200 wrote to memory of 624 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 90 PID 2200 wrote to memory of 4136 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 91 PID 2200 wrote to memory of 4136 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 91 PID 2200 wrote to memory of 4136 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 91 PID 2200 wrote to memory of 4460 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 92 PID 2200 wrote to memory of 4460 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 92 PID 2200 wrote to memory of 4460 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 92 PID 2200 wrote to memory of 404 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 94 PID 2200 wrote to memory of 404 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 94 PID 2200 wrote to memory of 404 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 94 PID 2200 wrote to memory of 2412 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 95 PID 2200 wrote to memory of 2412 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 95 PID 2200 wrote to memory of 2412 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 95 PID 2200 wrote to memory of 1616 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 96 PID 2200 wrote to memory of 1616 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 96 PID 2200 wrote to memory of 1616 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 96 PID 2200 wrote to memory of 2252 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 97 PID 2200 wrote to memory of 2252 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 97 PID 2200 wrote to memory of 2252 2200 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 97 PID 4460 wrote to memory of 3868 4460 cmd.exe 102 PID 4460 wrote to memory of 3868 4460 cmd.exe 102 PID 4460 wrote to memory of 3868 4460 cmd.exe 102 PID 2252 wrote to memory of 2844 2252 cmd.exe 104 PID 2252 wrote to memory of 2844 2252 cmd.exe 104 PID 2252 wrote to memory of 2844 2252 cmd.exe 104 PID 3868 wrote to memory of 2696 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 105 PID 3868 wrote to memory of 2696 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 105 PID 3868 wrote to memory of 2696 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 105 PID 2696 wrote to memory of 3484 2696 cmd.exe 107 PID 2696 wrote to memory of 3484 2696 cmd.exe 107 PID 2696 wrote to memory of 3484 2696 cmd.exe 107 PID 3868 wrote to memory of 2664 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 108 PID 3868 wrote to memory of 2664 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 108 PID 3868 wrote to memory of 2664 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 108 PID 3868 wrote to memory of 2460 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 109 PID 3868 wrote to memory of 2460 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 109 PID 3868 wrote to memory of 2460 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 109 PID 3868 wrote to memory of 4828 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 110 PID 3868 wrote to memory of 4828 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 110 PID 3868 wrote to memory of 4828 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 110 PID 3868 wrote to memory of 4832 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 111 PID 3868 wrote to memory of 4832 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 111 PID 3868 wrote to memory of 4832 3868 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 111 PID 4832 wrote to memory of 1880 4832 cmd.exe 116 PID 4832 wrote to memory of 1880 4832 cmd.exe 116 PID 4832 wrote to memory of 1880 4832 cmd.exe 116 PID 3484 wrote to memory of 2380 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 117 PID 3484 wrote to memory of 2380 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 117 PID 3484 wrote to memory of 2380 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 117 PID 2380 wrote to memory of 228 2380 cmd.exe 119 PID 2380 wrote to memory of 228 2380 cmd.exe 119 PID 2380 wrote to memory of 228 2380 cmd.exe 119 PID 3484 wrote to memory of 1020 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 120 PID 3484 wrote to memory of 1020 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 120 PID 3484 wrote to memory of 1020 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 120 PID 3484 wrote to memory of 1152 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 121 PID 3484 wrote to memory of 1152 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 121 PID 3484 wrote to memory of 1152 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 121 PID 3484 wrote to memory of 4920 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 122 PID 3484 wrote to memory of 4920 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 122 PID 3484 wrote to memory of 4920 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 122 PID 3484 wrote to memory of 4684 3484 2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\fwIIgsko\ToIkAQoI.exe"C:\Users\Admin\fwIIgsko\ToIkAQoI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:624
-
-
C:\ProgramData\pCAwYssQ\uUkkwkgY.exe"C:\ProgramData\pCAwYssQ\uUkkwkgY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"8⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"10⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"12⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"14⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"16⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"18⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"20⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"22⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"24⤵PID:4692
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"26⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"28⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"30⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"32⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock33⤵PID:3356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"34⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock35⤵PID:4984
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"36⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock37⤵PID:2592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"38⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock39⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"40⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock41⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"42⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock43⤵PID:2380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"44⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock45⤵PID:2720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"46⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock47⤵PID:4068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"48⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock49⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"50⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock51⤵PID:2844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"52⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock53⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"54⤵PID:116
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock55⤵PID:1448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"56⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock57⤵PID:2680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"58⤵PID:4704
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock59⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"60⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock61⤵PID:1908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"62⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock63⤵PID:1532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"64⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock65⤵PID:1612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"66⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock67⤵PID:3124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"68⤵PID:4064
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock69⤵PID:3616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"70⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock71⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"72⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock73⤵PID:1580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"74⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock75⤵PID:4972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"76⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock77⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"78⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock79⤵PID:2724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"80⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock81⤵PID:3376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"82⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock83⤵PID:400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"84⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock85⤵PID:2980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"86⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock87⤵PID:896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"88⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock89⤵PID:3296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"90⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock91⤵PID:3992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"92⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock93⤵PID:4240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"94⤵PID:5048
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock95⤵PID:5068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"96⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock97⤵PID:2480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"98⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock99⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"100⤵PID:3668
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock101⤵PID:2360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"102⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock103⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"104⤵PID:100
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock105⤵PID:1152
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"106⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock107⤵PID:5012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"108⤵PID:3876
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock109⤵PID:3760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"110⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock111⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"112⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock113⤵PID:1440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"114⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock115⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"116⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock117⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"118⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock119⤵PID:4664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"120⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock121⤵PID:3892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_abac5eabd200797739a3103b2f2d6655_virlock"122⤵PID:2912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-