Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 11:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe
-
Size
201KB
-
MD5
79c137131db29063c1d5116bd015931b
-
SHA1
933b7f3b162f26a20123fadb06c6f6e30fc654ee
-
SHA256
fbec3d95e8e9d29f22faab07be187581507de1e621c3eee766829c1b048a60ed
-
SHA512
017643c76fb81c3e4def41fe0094b09c0656a8724aef2a2a439a84810cd789798867d2f416cee7b6595eca91b5ecd6172f82d625340cba6f60553203127f21c8
-
SSDEEP
3072:+uRvRvsPs+tnTSLGEV9LJLGfBOsTlAsJzoOetqART68:fNAnGaEVTyQsTysJz+4268
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RaAsgoEs.exe -
Executes dropped EXE 2 IoCs
pid Process 3760 RaAsgoEs.exe 844 xKIsAogI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RaAsgoEs.exe = "C:\\Users\\Admin\\yYoIsIgg\\RaAsgoEs.exe" 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xKIsAogI.exe = "C:\\ProgramData\\viswgogM\\xKIsAogI.exe" 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RaAsgoEs.exe = "C:\\Users\\Admin\\yYoIsIgg\\RaAsgoEs.exe" RaAsgoEs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xKIsAogI.exe = "C:\\ProgramData\\viswgogM\\xKIsAogI.exe" xKIsAogI.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe RaAsgoEs.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe RaAsgoEs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3832 Process not Found 4412 Process not Found 2428 Process not Found 2876 reg.exe 2848 reg.exe 2148 Process not Found 1748 reg.exe 1652 reg.exe 4588 reg.exe 4212 reg.exe 3060 reg.exe 400 reg.exe 3668 reg.exe 3932 reg.exe 3384 reg.exe 4536 reg.exe 3668 reg.exe 1360 reg.exe 912 reg.exe 3896 reg.exe 2848 reg.exe 4404 reg.exe 1984 reg.exe 4408 reg.exe 2872 reg.exe 912 Process not Found 3984 Process not Found 3440 Process not Found 592 reg.exe 4664 reg.exe 112 Process not Found 3660 reg.exe 4648 reg.exe 4304 reg.exe 3372 Process not Found 4876 Process not Found 4328 reg.exe 2444 reg.exe 2460 reg.exe 4300 reg.exe 2320 reg.exe 2264 reg.exe 3436 reg.exe 912 reg.exe 4476 Process not Found 1656 reg.exe 4212 reg.exe 4460 reg.exe 3260 reg.exe 3504 reg.exe 4364 reg.exe 4500 reg.exe 4928 Process not Found 2676 reg.exe 3568 reg.exe 4296 reg.exe 3068 Process not Found 4408 reg.exe 1056 reg.exe 536 reg.exe 1176 reg.exe 1628 Process not Found 3928 reg.exe 4104 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4672 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4672 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4672 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4672 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1580 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1580 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1580 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1580 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 744 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 744 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 744 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 744 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 228 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 228 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 228 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 228 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2444 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2444 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2444 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2444 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4092 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4092 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4092 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4092 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2832 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2832 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2832 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 2832 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4152 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4152 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4152 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4152 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4928 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4928 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4928 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4928 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1076 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1076 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1076 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 1076 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 3464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 3464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 3464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 3464 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4724 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4724 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4724 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 4724 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3760 RaAsgoEs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe 3760 RaAsgoEs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 3760 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 85 PID 1276 wrote to memory of 3760 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 85 PID 1276 wrote to memory of 3760 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 85 PID 1276 wrote to memory of 844 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 86 PID 1276 wrote to memory of 844 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 86 PID 1276 wrote to memory of 844 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 86 PID 1276 wrote to memory of 3288 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 87 PID 1276 wrote to memory of 3288 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 87 PID 1276 wrote to memory of 3288 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 87 PID 1276 wrote to memory of 4428 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 89 PID 1276 wrote to memory of 4428 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 89 PID 1276 wrote to memory of 4428 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 89 PID 1276 wrote to memory of 1748 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 90 PID 1276 wrote to memory of 1748 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 90 PID 1276 wrote to memory of 1748 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 90 PID 1276 wrote to memory of 1780 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 91 PID 1276 wrote to memory of 1780 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 91 PID 1276 wrote to memory of 1780 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 91 PID 1276 wrote to memory of 4480 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 92 PID 1276 wrote to memory of 4480 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 92 PID 1276 wrote to memory of 4480 1276 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 92 PID 3288 wrote to memory of 2480 3288 cmd.exe 97 PID 3288 wrote to memory of 2480 3288 cmd.exe 97 PID 3288 wrote to memory of 2480 3288 cmd.exe 97 PID 4480 wrote to memory of 708 4480 cmd.exe 98 PID 4480 wrote to memory of 708 4480 cmd.exe 98 PID 4480 wrote to memory of 708 4480 cmd.exe 98 PID 2480 wrote to memory of 3672 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 100 PID 2480 wrote to memory of 3672 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 100 PID 2480 wrote to memory of 3672 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 100 PID 3672 wrote to memory of 2656 3672 cmd.exe 102 PID 3672 wrote to memory of 2656 3672 cmd.exe 102 PID 3672 wrote to memory of 2656 3672 cmd.exe 102 PID 2480 wrote to memory of 4884 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 103 PID 2480 wrote to memory of 4884 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 103 PID 2480 wrote to memory of 4884 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 103 PID 2480 wrote to memory of 5072 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 104 PID 2480 wrote to memory of 5072 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 104 PID 2480 wrote to memory of 5072 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 104 PID 2480 wrote to memory of 5056 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 105 PID 2480 wrote to memory of 5056 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 105 PID 2480 wrote to memory of 5056 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 105 PID 2480 wrote to memory of 4500 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 106 PID 2480 wrote to memory of 4500 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 106 PID 2480 wrote to memory of 4500 2480 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 106 PID 4500 wrote to memory of 1752 4500 cmd.exe 111 PID 4500 wrote to memory of 1752 4500 cmd.exe 111 PID 4500 wrote to memory of 1752 4500 cmd.exe 111 PID 2656 wrote to memory of 932 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 112 PID 2656 wrote to memory of 932 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 112 PID 2656 wrote to memory of 932 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 112 PID 932 wrote to memory of 4672 932 cmd.exe 114 PID 932 wrote to memory of 4672 932 cmd.exe 114 PID 932 wrote to memory of 4672 932 cmd.exe 114 PID 2656 wrote to memory of 4172 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 115 PID 2656 wrote to memory of 4172 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 115 PID 2656 wrote to memory of 4172 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 115 PID 2656 wrote to memory of 2404 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 116 PID 2656 wrote to memory of 2404 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 116 PID 2656 wrote to memory of 2404 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 116 PID 2656 wrote to memory of 4476 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 117 PID 2656 wrote to memory of 4476 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 117 PID 2656 wrote to memory of 4476 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 117 PID 2656 wrote to memory of 4752 2656 2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\yYoIsIgg\RaAsgoEs.exe"C:\Users\Admin\yYoIsIgg\RaAsgoEs.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3760
-
-
C:\ProgramData\viswgogM\xKIsAogI.exe"C:\ProgramData\viswgogM\xKIsAogI.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"8⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"10⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"12⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"14⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"16⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"18⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"20⤵
- System Location Discovery: System Language Discovery
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"22⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"24⤵PID:4932
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"26⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"28⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"30⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"32⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock33⤵PID:2400
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"34⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock35⤵PID:4860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"36⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock37⤵PID:4932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"38⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock39⤵PID:2816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"40⤵PID:692
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock41⤵PID:2424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"42⤵PID:1892
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock43⤵PID:4116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"44⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock45⤵PID:216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"46⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock47⤵PID:4648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"48⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock49⤵PID:508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"50⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock51⤵PID:1736
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"52⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock53⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"54⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock55⤵PID:2264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"56⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock57⤵PID:4768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"58⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock59⤵PID:1164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"60⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock61⤵PID:4176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"62⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock63⤵PID:3980
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"64⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock65⤵PID:4452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"66⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock67⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"68⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock69⤵PID:3244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"70⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock71⤵PID:2172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"72⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock73⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"74⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock75⤵PID:364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"76⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock77⤵PID:5084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"78⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock79⤵PID:3836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"80⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock81⤵PID:2676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"82⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock83⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"84⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock85⤵PID:4360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"86⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock87⤵PID:4132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"88⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock89⤵PID:4940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"90⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock91⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"92⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock93⤵PID:940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"94⤵PID:4320
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock95⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"96⤵PID:4936
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock97⤵PID:2024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"98⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock99⤵PID:4764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"100⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock101⤵PID:3924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"102⤵PID:4500
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock103⤵PID:116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"104⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock105⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"106⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock107⤵PID:3668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"108⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock109⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"110⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock111⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"112⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock113⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"114⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock115⤵PID:536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"116⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock117⤵PID:4104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"118⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock119⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-07_79c137131db29063c1d5116bd015931b_virlock"120⤵PID:4484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:4160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-