Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 11:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Resource
win7-20240705-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe
-
Size
195KB
-
MD5
a12fdb18d3868a6b3c58d2fdd11bc5ce
-
SHA1
f3d90972b72c95b438a9ceb08717e63ffb4617d1
-
SHA256
de0e001e8d17580cf7cc10b8b46abb574623077871384cbc3744bf02bfeb4bcc
-
SHA512
eea56efcde21887c39fcf7efeb6146bbb8a65e190682eec3eb9098896780a85260ca0f9fd9bc220eccd2534838238dce8003acf95d3121ac2af8f44445facd37
-
SSDEEP
3072:/y3uVDAnoRMxAxDR896OEUD/gqyfwkS2flMVlbBgyWvq7l2aDvu2TlQC81yXX8:/e3wK/T4bnflCgyeAl2aKK81cM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation lqEkcQUI.exe -
Executes dropped EXE 2 IoCs
pid Process 3836 lqEkcQUI.exe 4656 YOAAUEMw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YOAAUEMw.exe = "C:\\ProgramData\\xocMEAsQ\\YOAAUEMw.exe" 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqEkcQUI.exe = "C:\\Users\\Admin\\mGAAkMAM\\lqEkcQUI.exe" lqEkcQUI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YOAAUEMw.exe = "C:\\ProgramData\\xocMEAsQ\\YOAAUEMw.exe" YOAAUEMw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lqEkcQUI.exe = "C:\\Users\\Admin\\mGAAkMAM\\lqEkcQUI.exe" 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 912 reg.exe 4528 reg.exe 4304 reg.exe 1448 reg.exe 4576 reg.exe 4644 Process not Found 3900 Process not Found 2700 reg.exe 4032 reg.exe 3144 reg.exe 3116 Process not Found 1792 reg.exe 1944 reg.exe 4972 reg.exe 4444 reg.exe 2700 reg.exe 1572 reg.exe 1108 reg.exe 1400 Process not Found 4756 reg.exe 464 reg.exe 2216 reg.exe 4540 Process not Found 3472 Process not Found 3540 reg.exe 3788 reg.exe 1600 reg.exe 1416 reg.exe 1604 Process not Found 996 Process not Found 2384 reg.exe 1020 reg.exe 452 reg.exe 1608 Process not Found 1812 reg.exe 4900 reg.exe 3488 reg.exe 4788 reg.exe 4956 Process not Found 3516 Process not Found 1416 reg.exe 1080 reg.exe 2436 reg.exe 4352 reg.exe 1376 reg.exe 4484 reg.exe 4016 reg.exe 3144 reg.exe 4296 reg.exe 1864 Process not Found 456 reg.exe 1864 reg.exe 2132 reg.exe 2392 Process not Found 5080 Process not Found 812 reg.exe 3568 reg.exe 2396 reg.exe 2196 reg.exe 4584 reg.exe 3540 reg.exe 2732 reg.exe 1760 reg.exe 1960 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 704 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 704 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 704 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 704 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3972 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3972 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3972 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3972 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3444 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3444 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3444 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3444 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1604 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1604 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1604 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1604 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 440 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 440 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 440 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 440 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3320 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3320 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3320 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3320 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1612 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1612 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1612 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1612 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3092 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3092 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3092 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 3092 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4888 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4888 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4888 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4888 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1192 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1192 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1192 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 1192 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4084 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4084 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4084 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4084 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 2788 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 2788 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 2788 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 2788 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4324 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4324 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4324 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 4324 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3836 lqEkcQUI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe 3836 lqEkcQUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 3836 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 86 PID 3052 wrote to memory of 3836 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 86 PID 3052 wrote to memory of 3836 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 86 PID 3052 wrote to memory of 4656 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 87 PID 3052 wrote to memory of 4656 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 87 PID 3052 wrote to memory of 4656 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 87 PID 3052 wrote to memory of 1912 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 88 PID 3052 wrote to memory of 1912 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 88 PID 3052 wrote to memory of 1912 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 88 PID 1912 wrote to memory of 1576 1912 cmd.exe 90 PID 1912 wrote to memory of 1576 1912 cmd.exe 90 PID 1912 wrote to memory of 1576 1912 cmd.exe 90 PID 3052 wrote to memory of 4472 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 91 PID 3052 wrote to memory of 4472 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 91 PID 3052 wrote to memory of 4472 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 91 PID 3052 wrote to memory of 456 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 92 PID 3052 wrote to memory of 456 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 92 PID 3052 wrote to memory of 456 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 92 PID 3052 wrote to memory of 1404 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 93 PID 3052 wrote to memory of 1404 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 93 PID 3052 wrote to memory of 1404 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 93 PID 3052 wrote to memory of 3140 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 94 PID 3052 wrote to memory of 3140 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 94 PID 3052 wrote to memory of 3140 3052 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 94 PID 3140 wrote to memory of 1660 3140 cmd.exe 99 PID 3140 wrote to memory of 1660 3140 cmd.exe 99 PID 3140 wrote to memory of 1660 3140 cmd.exe 99 PID 1576 wrote to memory of 4956 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 100 PID 1576 wrote to memory of 4956 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 100 PID 1576 wrote to memory of 4956 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 100 PID 1576 wrote to memory of 1376 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 103 PID 1576 wrote to memory of 1376 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 103 PID 1576 wrote to memory of 1376 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 103 PID 1576 wrote to memory of 2216 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 104 PID 1576 wrote to memory of 2216 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 104 PID 1576 wrote to memory of 2216 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 104 PID 1576 wrote to memory of 3208 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 105 PID 1576 wrote to memory of 3208 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 105 PID 1576 wrote to memory of 3208 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 105 PID 1576 wrote to memory of 3776 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 106 PID 1576 wrote to memory of 3776 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 106 PID 1576 wrote to memory of 3776 1576 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 106 PID 4956 wrote to memory of 1540 4956 cmd.exe 111 PID 4956 wrote to memory of 1540 4956 cmd.exe 111 PID 4956 wrote to memory of 1540 4956 cmd.exe 111 PID 3776 wrote to memory of 3328 3776 cmd.exe 112 PID 3776 wrote to memory of 3328 3776 cmd.exe 112 PID 3776 wrote to memory of 3328 3776 cmd.exe 112 PID 1540 wrote to memory of 2852 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 113 PID 1540 wrote to memory of 2852 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 113 PID 1540 wrote to memory of 2852 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 113 PID 2852 wrote to memory of 704 2852 cmd.exe 115 PID 2852 wrote to memory of 704 2852 cmd.exe 115 PID 2852 wrote to memory of 704 2852 cmd.exe 115 PID 1540 wrote to memory of 2484 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 116 PID 1540 wrote to memory of 2484 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 116 PID 1540 wrote to memory of 2484 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 116 PID 1540 wrote to memory of 3544 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 117 PID 1540 wrote to memory of 3544 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 117 PID 1540 wrote to memory of 3544 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 117 PID 1540 wrote to memory of 3808 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 118 PID 1540 wrote to memory of 3808 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 118 PID 1540 wrote to memory of 3808 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 118 PID 1540 wrote to memory of 2444 1540 20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe"C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\mGAAkMAM\lqEkcQUI.exe"C:\Users\Admin\mGAAkMAM\lqEkcQUI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3836
-
-
C:\ProgramData\xocMEAsQ\YOAAUEMw.exe"C:\ProgramData\xocMEAsQ\YOAAUEMw.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"6⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"8⤵PID:2476
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"10⤵PID:456
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"12⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"14⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"16⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"18⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"20⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"22⤵
- System Location Discovery: System Language Discovery
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"24⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"26⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"28⤵PID:1584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"30⤵PID:1316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"32⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock33⤵PID:1208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"34⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock35⤵PID:3140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"36⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock37⤵PID:3312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"38⤵PID:3544
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock39⤵PID:5048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"40⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock41⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"42⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock43⤵PID:1012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"44⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock45⤵PID:2364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"46⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock47⤵PID:3728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"48⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock49⤵PID:804
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"50⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock51⤵PID:4176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"52⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock53⤵PID:2912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"54⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock55⤵PID:4352
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"56⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock57⤵PID:1612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"58⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock59⤵PID:4028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"60⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock61⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"62⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock63⤵PID:2772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"64⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock65⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"66⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock67⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"68⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock69⤵PID:2444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"70⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock71⤵PID:1752
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"72⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock73⤵PID:2996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"74⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock75⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"76⤵PID:1204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock77⤵PID:1824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"78⤵PID:2732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock79⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"80⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock81⤵PID:3880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"82⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock83⤵PID:1084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"84⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock85⤵PID:4688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"86⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock87⤵PID:2464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"88⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock89⤵PID:4436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"90⤵PID:4064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV191⤵PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock91⤵PID:3956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"92⤵PID:3504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV193⤵PID:2196
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock93⤵PID:812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"94⤵
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock95⤵PID:2640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"96⤵PID:4576
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock97⤵PID:5080
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"98⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock99⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"100⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock101⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"102⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock103⤵PID:3764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"104⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock105⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"106⤵PID:3696
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock107⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"108⤵PID:1392
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock109⤵PID:1376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"110⤵PID:3788
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock111⤵PID:4036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"112⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock113⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"114⤵PID:3540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock115⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"116⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock117⤵PID:440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"118⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock119⤵PID:4064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock"120⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824a12fdb18d3868a6b3c58d2fdd11bc5cevirlock121⤵PID:2880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-