Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 11:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe
Resource
win7-20240704-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe
-
Size
212KB
-
MD5
c79b9cd94a4617449fa988373af34d4f
-
SHA1
b07077f4e92b84d1dead325c2d19614997efe9cd
-
SHA256
a8ed9414bac186c2e40ec9d3a07c2df7ca7fc75796ed0d73cf15347f03f16858
-
SHA512
60c0611ed999d018364d8cbbb43c014c39be46e00139ece2f19cfc75fd1eb764f884ce1d106fd9113e1c8e2b9c085050d94a7934850ac37fac09a528b38a8728
-
SSDEEP
6144:CKxMxAAcdBkIo9moWqTjBkNXHPQnVnBVULXi6BH9mvkiX2/AgT:CKxMiAj9Pqld5im/9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation RMYgwwsg.exe -
Executes dropped EXE 2 IoCs
pid Process 2936 eMYowQAQ.exe 4912 RMYgwwsg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eMYowQAQ.exe = "C:\\Users\\Admin\\IawcIsME\\eMYowQAQ.exe" 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RMYgwwsg.exe = "C:\\ProgramData\\iYwMIEUc\\RMYgwwsg.exe" 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RMYgwwsg.exe = "C:\\ProgramData\\iYwMIEUc\\RMYgwwsg.exe" RMYgwwsg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eMYowQAQ.exe = "C:\\Users\\Admin\\IawcIsME\\eMYowQAQ.exe" eMYowQAQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 632 reg.exe 3640 reg.exe 1612 reg.exe 4760 reg.exe 3024 reg.exe 4764 reg.exe 4644 reg.exe 3444 reg.exe 3224 reg.exe 3864 reg.exe 1532 reg.exe 5020 reg.exe 2580 reg.exe 4188 reg.exe 4388 Process not Found 1896 reg.exe 4944 Process not Found 432 reg.exe 3224 reg.exe 736 reg.exe 2796 reg.exe 3284 Process not Found 3968 reg.exe 2320 reg.exe 1820 Process not Found 4644 reg.exe 4628 reg.exe 2224 reg.exe 5100 reg.exe 3144 reg.exe 3064 reg.exe 4424 reg.exe 2840 reg.exe 2020 reg.exe 876 reg.exe 396 Process not Found 4024 reg.exe 2728 reg.exe 876 Process not Found 3580 reg.exe 4832 reg.exe 3632 reg.exe 432 Process not Found 4976 Process not Found 1060 reg.exe 2076 reg.exe 4544 reg.exe 3640 reg.exe 4928 reg.exe 4128 reg.exe 4744 reg.exe 4640 reg.exe 916 reg.exe 2376 reg.exe 2156 reg.exe 876 reg.exe 2236 reg.exe 3996 reg.exe 3340 Process not Found 4248 reg.exe 4584 reg.exe 4308 reg.exe 3864 reg.exe 3900 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3580 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3580 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3580 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3580 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2004 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2004 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2004 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2004 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2144 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2144 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2144 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 2144 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 432 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 432 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 432 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 432 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4480 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4480 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4480 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4480 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1920 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1920 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1920 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1920 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4916 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4916 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4916 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 4916 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3632 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3632 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3632 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3632 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 776 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 776 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 776 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 776 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1968 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3108 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3108 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3108 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 3108 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1820 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1820 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1820 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 1820 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4912 RMYgwwsg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe 4912 RMYgwwsg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4928 wrote to memory of 2936 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 85 PID 4928 wrote to memory of 2936 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 85 PID 4928 wrote to memory of 2936 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 85 PID 4928 wrote to memory of 4912 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 86 PID 4928 wrote to memory of 4912 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 86 PID 4928 wrote to memory of 4912 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 86 PID 4928 wrote to memory of 4400 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 87 PID 4928 wrote to memory of 4400 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 87 PID 4928 wrote to memory of 4400 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 87 PID 4400 wrote to memory of 3496 4400 cmd.exe 89 PID 4400 wrote to memory of 3496 4400 cmd.exe 89 PID 4400 wrote to memory of 3496 4400 cmd.exe 89 PID 4928 wrote to memory of 3024 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 90 PID 4928 wrote to memory of 3024 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 90 PID 4928 wrote to memory of 3024 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 90 PID 4928 wrote to memory of 2580 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 91 PID 4928 wrote to memory of 2580 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 91 PID 4928 wrote to memory of 2580 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 91 PID 4928 wrote to memory of 2484 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 92 PID 4928 wrote to memory of 2484 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 92 PID 4928 wrote to memory of 2484 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 92 PID 4928 wrote to memory of 4916 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 93 PID 4928 wrote to memory of 4916 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 93 PID 4928 wrote to memory of 4916 4928 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 93 PID 4916 wrote to memory of 3744 4916 cmd.exe 98 PID 4916 wrote to memory of 3744 4916 cmd.exe 98 PID 4916 wrote to memory of 3744 4916 cmd.exe 98 PID 3496 wrote to memory of 1252 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 100 PID 3496 wrote to memory of 1252 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 100 PID 3496 wrote to memory of 1252 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 100 PID 1252 wrote to memory of 3972 1252 cmd.exe 102 PID 1252 wrote to memory of 3972 1252 cmd.exe 102 PID 1252 wrote to memory of 3972 1252 cmd.exe 102 PID 3496 wrote to memory of 4972 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 103 PID 3496 wrote to memory of 4972 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 103 PID 3496 wrote to memory of 4972 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 103 PID 3496 wrote to memory of 1264 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 104 PID 3496 wrote to memory of 1264 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 104 PID 3496 wrote to memory of 1264 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 104 PID 3496 wrote to memory of 3916 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 105 PID 3496 wrote to memory of 3916 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 105 PID 3496 wrote to memory of 3916 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 105 PID 3496 wrote to memory of 4024 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 106 PID 3496 wrote to memory of 4024 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 106 PID 3496 wrote to memory of 4024 3496 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 106 PID 4024 wrote to memory of 4216 4024 cmd.exe 111 PID 4024 wrote to memory of 4216 4024 cmd.exe 111 PID 4024 wrote to memory of 4216 4024 cmd.exe 111 PID 3972 wrote to memory of 1068 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 113 PID 3972 wrote to memory of 1068 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 113 PID 3972 wrote to memory of 1068 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 113 PID 1068 wrote to memory of 3580 1068 cmd.exe 115 PID 1068 wrote to memory of 3580 1068 cmd.exe 115 PID 1068 wrote to memory of 3580 1068 cmd.exe 115 PID 3972 wrote to memory of 332 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 116 PID 3972 wrote to memory of 332 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 116 PID 3972 wrote to memory of 332 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 116 PID 3972 wrote to memory of 1020 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 117 PID 3972 wrote to memory of 1020 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 117 PID 3972 wrote to memory of 1020 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 117 PID 3972 wrote to memory of 4884 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 118 PID 3972 wrote to memory of 4884 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 118 PID 3972 wrote to memory of 4884 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 118 PID 3972 wrote to memory of 3632 3972 20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe"C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\IawcIsME\eMYowQAQ.exe"C:\Users\Admin\IawcIsME\eMYowQAQ.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2936
-
-
C:\ProgramData\iYwMIEUc\RMYgwwsg.exe"C:\ProgramData\iYwMIEUc\RMYgwwsg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4912
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"4⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"6⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"8⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"10⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"12⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"14⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"16⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"18⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"20⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"22⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock23⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"24⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"26⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"28⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"30⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"32⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock33⤵PID:4128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"34⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock35⤵PID:4836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"36⤵PID:2024
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock37⤵PID:2744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"38⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock39⤵
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"40⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock41⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"42⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock43⤵PID:2368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"44⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock45⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"46⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock47⤵PID:1436
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"48⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock49⤵PID:4284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"50⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock51⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"52⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock53⤵PID:3444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"54⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock55⤵PID:2604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"56⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock57⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"58⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock59⤵PID:4736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"60⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock61⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"62⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock63⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"64⤵
- System Location Discovery: System Language Discovery
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock65⤵PID:2448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"66⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock67⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"68⤵PID:2776
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock69⤵PID:4828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"70⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock71⤵PID:1876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"72⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock73⤵PID:1748
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"74⤵PID:3724
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock75⤵PID:1996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"76⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock77⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"78⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock79⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"80⤵PID:748
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock81⤵PID:4904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"82⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock83⤵PID:2348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"84⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock85⤵PID:3640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"86⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock87⤵PID:3392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"88⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock89⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"90⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock91⤵PID:1316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"92⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock93⤵PID:2888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"94⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock95⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"96⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock97⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"98⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock99⤵PID:3500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"100⤵PID:4856
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock101⤵PID:2300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"102⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock103⤵PID:1656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"104⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock105⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"106⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock107⤵PID:220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"108⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock109⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"110⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock111⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"112⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock113⤵PID:4552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"114⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock115⤵PID:4420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"116⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock117⤵PID:4424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"118⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock119⤵PID:3968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock"120⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock.exeC:\Users\Admin\AppData\Local\Temp\20240824c79b9cd94a4617449fa988373af34d4fvirlock121⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-