Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 12:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20240904614e147831a0e174f25e612e06310d85virlock.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
20240904614e147831a0e174f25e612e06310d85virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
20240904614e147831a0e174f25e612e06310d85virlock.exe
-
Size
208KB
-
MD5
614e147831a0e174f25e612e06310d85
-
SHA1
aa246318683de03151cb2938341078f5ab56c274
-
SHA256
13bdef2092838b3d3bbc03c1c708cec24c0dde6127377ce6822485b2240203ee
-
SHA512
2f4c5d5849d1f4d46a1da2186cd0441e35c27762ecf3ce9454c38b30f642993f870930c7b359d800e00a4c80beb2611398a1a55737478a7228f9d5486812fe09
-
SSDEEP
6144:EkNZrjWdDjUIkMREJBWjX7ZOiGOS5uF67Wo0yb5Ds6X7hHUtd:lNZvWdDjUbaX7ZOiGjuF610ybpfX0d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation ymoAgwkU.exe -
Executes dropped EXE 2 IoCs
pid Process 2000 ymoAgwkU.exe 2232 OSIUoUMk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ymoAgwkU.exe = "C:\\Users\\Admin\\puUwMkAg\\ymoAgwkU.exe" 20240904614e147831a0e174f25e612e06310d85virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OSIUoUMk.exe = "C:\\ProgramData\\ckQocUks\\OSIUoUMk.exe" 20240904614e147831a0e174f25e612e06310d85virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ymoAgwkU.exe = "C:\\Users\\Admin\\puUwMkAg\\ymoAgwkU.exe" ymoAgwkU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OSIUoUMk.exe = "C:\\ProgramData\\ckQocUks\\OSIUoUMk.exe" OSIUoUMk.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell32.dll.exe ymoAgwkU.exe File created C:\Windows\SysWOW64\shell32.dll.exe ymoAgwkU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240904614e147831a0e174f25e612e06310d85virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3888 reg.exe 1904 reg.exe 4496 reg.exe 640 reg.exe 5044 reg.exe 5116 reg.exe 2712 reg.exe 2564 reg.exe 3316 Process not Found 2772 reg.exe 4076 reg.exe 2776 reg.exe 4796 reg.exe 3116 reg.exe 1132 reg.exe 3628 reg.exe 2896 reg.exe 3412 reg.exe 3928 reg.exe 4584 reg.exe 1380 reg.exe 4872 reg.exe 4216 reg.exe 4560 reg.exe 4672 reg.exe 2028 reg.exe 2032 reg.exe 2820 reg.exe 3472 reg.exe 2412 reg.exe 3044 reg.exe 4248 reg.exe 5116 reg.exe 692 reg.exe 844 Process not Found 3256 reg.exe 4248 reg.exe 4436 reg.exe 1960 reg.exe 2564 reg.exe 5108 reg.exe 4316 reg.exe 4548 reg.exe 3116 reg.exe 1628 Process not Found 1132 reg.exe 704 reg.exe 2704 reg.exe 3532 reg.exe 3664 reg.exe 2416 Process not Found 2160 reg.exe 4328 reg.exe 1676 reg.exe 2280 reg.exe 2692 reg.exe 3832 reg.exe 1540 reg.exe 4400 reg.exe 4580 reg.exe 2120 reg.exe 4004 reg.exe 2116 reg.exe 756 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 4692 20240904614e147831a0e174f25e612e06310d85virlock.exe 4692 20240904614e147831a0e174f25e612e06310d85virlock.exe 4692 20240904614e147831a0e174f25e612e06310d85virlock.exe 4692 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 3532 20240904614e147831a0e174f25e612e06310d85virlock.exe 3532 20240904614e147831a0e174f25e612e06310d85virlock.exe 3532 20240904614e147831a0e174f25e612e06310d85virlock.exe 3532 20240904614e147831a0e174f25e612e06310d85virlock.exe 3584 20240904614e147831a0e174f25e612e06310d85virlock.exe 3584 20240904614e147831a0e174f25e612e06310d85virlock.exe 3584 20240904614e147831a0e174f25e612e06310d85virlock.exe 3584 20240904614e147831a0e174f25e612e06310d85virlock.exe 5024 20240904614e147831a0e174f25e612e06310d85virlock.exe 5024 20240904614e147831a0e174f25e612e06310d85virlock.exe 5024 20240904614e147831a0e174f25e612e06310d85virlock.exe 5024 20240904614e147831a0e174f25e612e06310d85virlock.exe 4448 20240904614e147831a0e174f25e612e06310d85virlock.exe 4448 20240904614e147831a0e174f25e612e06310d85virlock.exe 4448 20240904614e147831a0e174f25e612e06310d85virlock.exe 4448 20240904614e147831a0e174f25e612e06310d85virlock.exe 1196 20240904614e147831a0e174f25e612e06310d85virlock.exe 1196 20240904614e147831a0e174f25e612e06310d85virlock.exe 1196 20240904614e147831a0e174f25e612e06310d85virlock.exe 1196 20240904614e147831a0e174f25e612e06310d85virlock.exe 3460 20240904614e147831a0e174f25e612e06310d85virlock.exe 3460 20240904614e147831a0e174f25e612e06310d85virlock.exe 3460 20240904614e147831a0e174f25e612e06310d85virlock.exe 3460 20240904614e147831a0e174f25e612e06310d85virlock.exe 3572 20240904614e147831a0e174f25e612e06310d85virlock.exe 3572 20240904614e147831a0e174f25e612e06310d85virlock.exe 3572 20240904614e147831a0e174f25e612e06310d85virlock.exe 3572 20240904614e147831a0e174f25e612e06310d85virlock.exe 3288 20240904614e147831a0e174f25e612e06310d85virlock.exe 3288 20240904614e147831a0e174f25e612e06310d85virlock.exe 3288 20240904614e147831a0e174f25e612e06310d85virlock.exe 3288 20240904614e147831a0e174f25e612e06310d85virlock.exe 2776 20240904614e147831a0e174f25e612e06310d85virlock.exe 2776 20240904614e147831a0e174f25e612e06310d85virlock.exe 2776 20240904614e147831a0e174f25e612e06310d85virlock.exe 2776 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 1248 20240904614e147831a0e174f25e612e06310d85virlock.exe 2704 20240904614e147831a0e174f25e612e06310d85virlock.exe 2704 20240904614e147831a0e174f25e612e06310d85virlock.exe 2704 20240904614e147831a0e174f25e612e06310d85virlock.exe 2704 20240904614e147831a0e174f25e612e06310d85virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2000 ymoAgwkU.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe 2000 ymoAgwkU.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4124 wrote to memory of 2000 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 87 PID 4124 wrote to memory of 2000 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 87 PID 4124 wrote to memory of 2000 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 87 PID 4124 wrote to memory of 2232 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 88 PID 4124 wrote to memory of 2232 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 88 PID 4124 wrote to memory of 2232 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 88 PID 4124 wrote to memory of 4644 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 89 PID 4124 wrote to memory of 4644 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 89 PID 4124 wrote to memory of 4644 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 89 PID 4124 wrote to memory of 3472 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 91 PID 4124 wrote to memory of 3472 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 91 PID 4124 wrote to memory of 3472 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 91 PID 4124 wrote to memory of 2564 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 92 PID 4124 wrote to memory of 2564 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 92 PID 4124 wrote to memory of 2564 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 92 PID 4124 wrote to memory of 2976 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 93 PID 4124 wrote to memory of 2976 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 93 PID 4124 wrote to memory of 2976 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 93 PID 4124 wrote to memory of 2020 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 94 PID 4124 wrote to memory of 2020 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 94 PID 4124 wrote to memory of 2020 4124 20240904614e147831a0e174f25e612e06310d85virlock.exe 94 PID 4644 wrote to memory of 1044 4644 cmd.exe 99 PID 4644 wrote to memory of 1044 4644 cmd.exe 99 PID 4644 wrote to memory of 1044 4644 cmd.exe 99 PID 2020 wrote to memory of 644 2020 cmd.exe 100 PID 2020 wrote to memory of 644 2020 cmd.exe 100 PID 2020 wrote to memory of 644 2020 cmd.exe 100 PID 1044 wrote to memory of 3088 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 102 PID 1044 wrote to memory of 3088 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 102 PID 1044 wrote to memory of 3088 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 102 PID 3088 wrote to memory of 5056 3088 cmd.exe 104 PID 3088 wrote to memory of 5056 3088 cmd.exe 104 PID 3088 wrote to memory of 5056 3088 cmd.exe 104 PID 1044 wrote to memory of 2576 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 105 PID 1044 wrote to memory of 2576 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 105 PID 1044 wrote to memory of 2576 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 105 PID 1044 wrote to memory of 4760 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 106 PID 1044 wrote to memory of 4760 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 106 PID 1044 wrote to memory of 4760 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 106 PID 1044 wrote to memory of 4496 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 107 PID 1044 wrote to memory of 4496 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 107 PID 1044 wrote to memory of 4496 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 107 PID 1044 wrote to memory of 1212 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 108 PID 1044 wrote to memory of 1212 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 108 PID 1044 wrote to memory of 1212 1044 20240904614e147831a0e174f25e612e06310d85virlock.exe 108 PID 1212 wrote to memory of 2660 1212 cmd.exe 113 PID 1212 wrote to memory of 2660 1212 cmd.exe 113 PID 1212 wrote to memory of 2660 1212 cmd.exe 113 PID 5056 wrote to memory of 404 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 114 PID 5056 wrote to memory of 404 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 114 PID 5056 wrote to memory of 404 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 114 PID 404 wrote to memory of 4692 404 cmd.exe 116 PID 404 wrote to memory of 4692 404 cmd.exe 116 PID 404 wrote to memory of 4692 404 cmd.exe 116 PID 5056 wrote to memory of 4988 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 117 PID 5056 wrote to memory of 4988 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 117 PID 5056 wrote to memory of 4988 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 117 PID 5056 wrote to memory of 4216 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 118 PID 5056 wrote to memory of 4216 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 118 PID 5056 wrote to memory of 4216 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 118 PID 5056 wrote to memory of 812 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 119 PID 5056 wrote to memory of 812 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 119 PID 5056 wrote to memory of 812 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 119 PID 5056 wrote to memory of 3596 5056 20240904614e147831a0e174f25e612e06310d85virlock.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exe"C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\puUwMkAg\ymoAgwkU.exe"C:\Users\Admin\puUwMkAg\ymoAgwkU.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2000
-
-
C:\ProgramData\ckQocUks\OSIUoUMk.exe"C:\ProgramData\ckQocUks\OSIUoUMk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"8⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"10⤵PID:3988
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"12⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"14⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"16⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"18⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"20⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"22⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"24⤵PID:3124
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"26⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"28⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"30⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"32⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock33⤵PID:2628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"34⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock35⤵PID:4644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"36⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock37⤵PID:3736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"38⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock39⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"40⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock41⤵PID:4124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"42⤵PID:644
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock43⤵PID:2980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"44⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock45⤵PID:2356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"46⤵PID:2776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵PID:3736
-
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock47⤵PID:3732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"48⤵PID:4332
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock49⤵PID:2664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"50⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock51⤵PID:2868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"52⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock53⤵PID:644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"54⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock55⤵PID:2632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"56⤵PID:4848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock57⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"58⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock59⤵PID:4932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"60⤵PID:2668
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock61⤵PID:2580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"62⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock63⤵PID:720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"64⤵PID:2960
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock65⤵PID:1960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"66⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock67⤵PID:5044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"68⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock69⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"70⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock71⤵PID:2500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"72⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock73⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"74⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock75⤵PID:4652
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"76⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock77⤵PID:2464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"78⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock79⤵PID:1028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"80⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock81⤵PID:1008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"82⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock83⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"84⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock85⤵PID:3584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"86⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock87⤵PID:3832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"88⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock89⤵PID:3380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"90⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock91⤵PID:4860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"92⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock93⤵PID:3348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"94⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock95⤵PID:3936
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"96⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock97⤵PID:3632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"98⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock99⤵PID:964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"100⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock101⤵PID:2120
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"102⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock103⤵PID:5052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"104⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock105⤵PID:2312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"106⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock107⤵PID:3116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"108⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock109⤵PID:3472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"110⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock111⤵PID:2452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"112⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock113⤵PID:844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"114⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock115⤵PID:3924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"116⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock117⤵PID:4228
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"118⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock119⤵PID:2160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock"120⤵PID:2452
-
C:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock.exeC:\Users\Admin\AppData\Local\Temp\20240904614e147831a0e174f25e612e06310d85virlock121⤵PID:2120
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-