Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 11:41
Behavioral task
behavioral1
Sample
2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
-
Size
163KB
-
MD5
c1aeba6369a3615061f44778021f6b42
-
SHA1
d5e40b2f91be6e95891a6f3e111f6a00f448de27
-
SHA256
357908d9f3abf01fcc8d4d3527483d5b9993cd1f70d7af2897ed313f05a39d97
-
SHA512
9e4bb49a5230ad624b9224b1f17e4da18345a9c7fece9299035986fc453b7f61c83d2a72486a8f7b674a14575107cf6d661f28709f9aef0450199c2cc3b8edd3
-
SSDEEP
3072:YHgTPOOwUJRymLMT+2eVyY1+ly6MkCSU2jgPqS01LpTLAwqsonnqBKLtYMlDJ+:YHgCfn7js6Zjg+Qfe0
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (71) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/4456-0-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3228-16-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4456-20-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3976-31-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3228-34-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3976-45-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4164-53-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1964-57-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4164-68-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/8-69-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/748-79-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/8-83-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4772-91-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/748-95-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4772-106-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1556-107-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4924-118-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1556-119-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4924-132-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3352-143-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4196-147-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4196-155-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/2540-168-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1876-179-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4260-181-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4540-191-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4260-192-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/2256-200-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4540-206-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4460-214-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/2256-218-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4460-229-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4316-230-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4316-243-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/632-246-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/632-257-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4852-266-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3712-267-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3712-275-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3280-282-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4148-286-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4484-291-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3280-295-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4484-303-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/2428-304-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/512-312-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/2428-313-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/512-323-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1796-324-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1796-332-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3148-333-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3952-341-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3148-342-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3952-352-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/5064-353-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1696-361-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/5064-362-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4044-367-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/1696-371-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4044-380-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3148-376-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/3148-390-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4520-391-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral2/memory/4520-399-0x0000000000400000-0x000000000043B000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation tuQwMQEc.exe -
Executes dropped EXE 2 IoCs
pid Process 2780 tuQwMQEc.exe 968 TaUMEoYA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4456-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3228-16-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4456-20-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3976-31-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3228-34-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3976-45-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4164-53-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1964-57-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4164-68-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/8-69-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/748-79-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/8-83-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4772-91-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/748-95-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4772-106-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1556-107-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4924-118-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1556-119-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4924-132-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3352-143-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4196-147-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4196-155-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2540-168-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1876-179-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4260-181-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4540-191-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4260-192-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2256-200-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4540-206-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4460-214-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2256-218-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4460-229-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4316-230-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4316-243-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/632-246-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/632-257-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4852-266-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3712-267-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3712-275-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3280-282-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4148-286-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4484-291-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3280-295-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4484-303-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2428-304-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/512-312-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2428-313-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/512-323-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1796-324-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1796-332-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3148-333-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3952-341-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3148-342-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3952-352-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5064-353-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1696-361-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/5064-362-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4044-367-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/1696-371-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4044-380-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3148-376-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3148-390-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4520-391-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4520-399-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuQwMQEc.exe = "C:\\Users\\Admin\\nCQMUYcc\\tuQwMQEc.exe" tuQwMQEc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaUMEoYA.exe = "C:\\ProgramData\\nMUsYoQw\\TaUMEoYA.exe" TaUMEoYA.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuQwMQEc.exe = "C:\\Users\\Admin\\nCQMUYcc\\tuQwMQEc.exe" 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TaUMEoYA.exe = "C:\\ProgramData\\nMUsYoQw\\TaUMEoYA.exe" 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe tuQwMQEc.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe tuQwMQEc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 1112 reg.exe 3224 reg.exe 4944 reg.exe 3272 Process not Found 4560 reg.exe 5024 reg.exe 3228 reg.exe 1784 reg.exe 2680 reg.exe 4524 reg.exe 3152 reg.exe 2228 Process not Found 3100 reg.exe 3496 Process not Found 1112 reg.exe 788 reg.exe 4040 reg.exe 2548 reg.exe 3832 reg.exe 3028 reg.exe 3652 Process not Found 3832 Process not Found 3352 reg.exe 4512 reg.exe 872 reg.exe 4016 Process not Found 4344 reg.exe 3504 reg.exe 2868 reg.exe 60 reg.exe 3228 reg.exe 4012 reg.exe 216 reg.exe 3652 reg.exe 2192 reg.exe 3336 reg.exe 4416 reg.exe 2928 reg.exe 1200 reg.exe 4712 reg.exe 1816 reg.exe 4960 reg.exe 3224 reg.exe 1124 reg.exe 2952 reg.exe 3120 reg.exe 4664 Process not Found 4956 reg.exe 3504 reg.exe 848 reg.exe 1780 reg.exe 4520 reg.exe 3820 reg.exe 3472 Process not Found 3132 Process not Found 5100 reg.exe 4460 reg.exe 4924 reg.exe 4432 reg.exe 1396 Process not Found 3868 reg.exe 4720 reg.exe 5108 reg.exe 4320 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1964 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1964 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1964 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1964 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4164 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4164 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4164 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4164 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 8 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 8 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 8 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 8 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 748 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 748 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 748 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 748 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4772 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4772 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4772 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4772 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1556 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1556 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1556 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1556 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4924 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4924 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4924 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4924 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3352 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3352 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3352 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 3352 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4196 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4196 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4196 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4196 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1876 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1876 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1876 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1876 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4260 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4260 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4260 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4260 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 4540 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 tuQwMQEc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe 2780 tuQwMQEc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 2780 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 89 PID 4456 wrote to memory of 2780 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 89 PID 4456 wrote to memory of 2780 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 89 PID 4456 wrote to memory of 968 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 90 PID 4456 wrote to memory of 968 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 90 PID 4456 wrote to memory of 968 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 90 PID 4456 wrote to memory of 880 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 91 PID 4456 wrote to memory of 880 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 91 PID 4456 wrote to memory of 880 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 91 PID 880 wrote to memory of 3228 880 cmd.exe 93 PID 880 wrote to memory of 3228 880 cmd.exe 93 PID 880 wrote to memory of 3228 880 cmd.exe 93 PID 4456 wrote to memory of 4640 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 94 PID 4456 wrote to memory of 4640 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 94 PID 4456 wrote to memory of 4640 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 94 PID 4456 wrote to memory of 4588 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 95 PID 4456 wrote to memory of 4588 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 95 PID 4456 wrote to memory of 4588 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 95 PID 4456 wrote to memory of 1616 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 96 PID 4456 wrote to memory of 1616 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 96 PID 4456 wrote to memory of 1616 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 96 PID 4456 wrote to memory of 4948 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 97 PID 4456 wrote to memory of 4948 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 97 PID 4456 wrote to memory of 4948 4456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 97 PID 4948 wrote to memory of 4516 4948 cmd.exe 102 PID 4948 wrote to memory of 4516 4948 cmd.exe 102 PID 4948 wrote to memory of 4516 4948 cmd.exe 102 PID 3228 wrote to memory of 2292 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 103 PID 3228 wrote to memory of 2292 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 103 PID 3228 wrote to memory of 2292 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 103 PID 2292 wrote to memory of 3976 2292 cmd.exe 105 PID 2292 wrote to memory of 3976 2292 cmd.exe 105 PID 2292 wrote to memory of 3976 2292 cmd.exe 105 PID 3228 wrote to memory of 2904 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 106 PID 3228 wrote to memory of 2904 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 106 PID 3228 wrote to memory of 2904 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 106 PID 3228 wrote to memory of 4016 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 107 PID 3228 wrote to memory of 4016 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 107 PID 3228 wrote to memory of 4016 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 107 PID 3228 wrote to memory of 3944 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 108 PID 3228 wrote to memory of 3944 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 108 PID 3228 wrote to memory of 3944 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 108 PID 3228 wrote to memory of 2484 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 109 PID 3228 wrote to memory of 2484 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 109 PID 3228 wrote to memory of 2484 3228 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 109 PID 2484 wrote to memory of 5064 2484 cmd.exe 114 PID 2484 wrote to memory of 5064 2484 cmd.exe 114 PID 2484 wrote to memory of 5064 2484 cmd.exe 114 PID 3976 wrote to memory of 2136 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 115 PID 3976 wrote to memory of 2136 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 115 PID 3976 wrote to memory of 2136 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 115 PID 2136 wrote to memory of 1964 2136 cmd.exe 117 PID 2136 wrote to memory of 1964 2136 cmd.exe 117 PID 2136 wrote to memory of 1964 2136 cmd.exe 117 PID 3976 wrote to memory of 60 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 118 PID 3976 wrote to memory of 60 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 118 PID 3976 wrote to memory of 60 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 118 PID 3976 wrote to memory of 3376 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 119 PID 3976 wrote to memory of 3376 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 119 PID 3976 wrote to memory of 3376 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 119 PID 3976 wrote to memory of 1448 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 120 PID 3976 wrote to memory of 1448 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 120 PID 3976 wrote to memory of 1448 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 120 PID 3976 wrote to memory of 4512 3976 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe"C:\Users\Admin\nCQMUYcc\tuQwMQEc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2780
-
-
C:\ProgramData\nMUsYoQw\TaUMEoYA.exe"C:\ProgramData\nMUsYoQw\TaUMEoYA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"8⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"10⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:8 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"12⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"14⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"16⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"18⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"20⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"22⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"24⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"26⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"28⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"30⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"32⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock33⤵PID:2256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"34⤵PID:2484
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock35⤵PID:4460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"36⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock37⤵PID:4316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"38⤵PID:5080
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock39⤵PID:632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"40⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock41⤵PID:4852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"42⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock43⤵PID:3712
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"44⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock45⤵PID:4148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"46⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock47⤵PID:3280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"48⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock49⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"50⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock51⤵PID:2428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"52⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock53⤵PID:512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"54⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock55⤵PID:1796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"56⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock57⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"58⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock59⤵PID:3952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"60⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock61⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"62⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock63⤵PID:1696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"64⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock65⤵PID:4044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"66⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock67⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"68⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock69⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"70⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock71⤵PID:3176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"72⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock73⤵PID:436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"74⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock75⤵PID:2936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"76⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock77⤵PID:872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"78⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock79⤵PID:4660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"80⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock81⤵PID:5076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"82⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock83⤵PID:1388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"84⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock85⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"86⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock87⤵PID:3516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"88⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock89⤵PID:2808
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"90⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock91⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"92⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock93⤵PID:2108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"94⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock95⤵PID:224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"96⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock97⤵PID:4980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"98⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock99⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"100⤵PID:4196
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock101⤵PID:4944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"102⤵PID:1816
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock103⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"104⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock105⤵PID:4516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"106⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock107⤵PID:2884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"108⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock109⤵PID:4440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"110⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock111⤵PID:1372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"112⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock113⤵PID:4220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"114⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock115⤵PID:5072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"116⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock117⤵PID:3724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"118⤵PID:212
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock119⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"120⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock121⤵PID:3412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"122⤵PID:208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-