Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 16:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe
-
Size
211KB
-
MD5
305450caaf5602c1b950bb8a29ccc76c
-
SHA1
c234a74d251ef75d0d2f3e9955858f736ea4c54c
-
SHA256
c50dc8d77822382a07cfad62a25c1dc6c48efb02f6cba4c3152fab29f33533ff
-
SHA512
e9766d2b923164b52cb4bb5266d5e8b34c7035550122b401a08cbf1799669cf718bafbc80f4ea62fe8ea9b6db3413a80eb0a39d11edb8465b5c0b15fbf823541
-
SSDEEP
6144:rom6zra4Z4Nuq+Pd9b3odLjXIIesSwcEqo+DaZKn:r/6zra4Z4Nuq+Pd9b3odLj4pHwcEqo+b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Renames multiple (77) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation neAEYQQc.exe -
Executes dropped EXE 2 IoCs
pid Process 4272 neAEYQQc.exe 1476 gSgUIYkc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neAEYQQc.exe = "C:\\Users\\Admin\\qiogwggE\\neAEYQQc.exe" 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gSgUIYkc.exe = "C:\\ProgramData\\MmMwQwUc\\gSgUIYkc.exe" 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neAEYQQc.exe = "C:\\Users\\Admin\\qiogwggE\\neAEYQQc.exe" neAEYQQc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gSgUIYkc.exe = "C:\\ProgramData\\MmMwQwUc\\gSgUIYkc.exe" gSgUIYkc.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe neAEYQQc.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe neAEYQQc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1592 reg.exe 4896 reg.exe 3212 reg.exe 3652 reg.exe 4216 reg.exe 4920 Process not Found 5020 reg.exe 4348 reg.exe 212 reg.exe 1808 reg.exe 3212 reg.exe 4136 reg.exe 1000 reg.exe 1536 reg.exe 4908 reg.exe 4140 reg.exe 3924 reg.exe 3544 reg.exe 4160 reg.exe 1484 reg.exe 2160 reg.exe 4872 reg.exe 4300 Process not Found 5060 reg.exe 2600 reg.exe 3572 reg.exe 772 reg.exe 4220 reg.exe 4896 reg.exe 2056 Process not Found 1288 reg.exe 736 reg.exe 3160 reg.exe 1648 reg.exe 1140 reg.exe 2536 reg.exe 4524 reg.exe 4520 reg.exe 4264 reg.exe 4552 reg.exe 4964 reg.exe 3424 reg.exe 3184 reg.exe 3472 reg.exe 3420 reg.exe 860 reg.exe 4792 reg.exe 3896 reg.exe 5000 reg.exe 1344 reg.exe 4624 reg.exe 1904 reg.exe 4536 reg.exe 3472 reg.exe 3708 reg.exe 4732 reg.exe 4884 reg.exe 5112 reg.exe 4388 Process not Found 4868 reg.exe 3572 reg.exe 3260 reg.exe 4136 reg.exe 5084 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4980 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4980 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4980 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4980 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1852 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1852 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1852 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1852 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2836 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2836 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2836 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2836 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5016 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5016 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5016 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5016 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5116 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5116 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5116 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 5116 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2488 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2488 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2488 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2488 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4552 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4552 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4552 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4552 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3560 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3560 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3560 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3560 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 1680 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3484 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3484 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3484 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 3484 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2128 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2128 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2128 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 2128 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4328 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4328 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4328 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 4328 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4272 neAEYQQc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe 4272 neAEYQQc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 4272 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 83 PID 1392 wrote to memory of 4272 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 83 PID 1392 wrote to memory of 4272 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 83 PID 1392 wrote to memory of 1476 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 84 PID 1392 wrote to memory of 1476 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 84 PID 1392 wrote to memory of 1476 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 84 PID 1392 wrote to memory of 3884 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 85 PID 1392 wrote to memory of 3884 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 85 PID 1392 wrote to memory of 3884 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 85 PID 1392 wrote to memory of 4952 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 87 PID 1392 wrote to memory of 4952 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 87 PID 1392 wrote to memory of 4952 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 87 PID 1392 wrote to memory of 3104 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 88 PID 1392 wrote to memory of 3104 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 88 PID 1392 wrote to memory of 3104 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 88 PID 1392 wrote to memory of 3500 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 89 PID 1392 wrote to memory of 3500 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 89 PID 1392 wrote to memory of 3500 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 89 PID 1392 wrote to memory of 1240 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 90 PID 1392 wrote to memory of 1240 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 90 PID 1392 wrote to memory of 1240 1392 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 90 PID 3884 wrote to memory of 2568 3884 cmd.exe 92 PID 3884 wrote to memory of 2568 3884 cmd.exe 92 PID 3884 wrote to memory of 2568 3884 cmd.exe 92 PID 1240 wrote to memory of 1848 1240 cmd.exe 96 PID 1240 wrote to memory of 1848 1240 cmd.exe 96 PID 1240 wrote to memory of 1848 1240 cmd.exe 96 PID 2568 wrote to memory of 1768 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 97 PID 2568 wrote to memory of 1768 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 97 PID 2568 wrote to memory of 1768 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 97 PID 1768 wrote to memory of 5020 1768 cmd.exe 99 PID 1768 wrote to memory of 5020 1768 cmd.exe 99 PID 1768 wrote to memory of 5020 1768 cmd.exe 99 PID 2568 wrote to memory of 1236 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 100 PID 2568 wrote to memory of 1236 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 100 PID 2568 wrote to memory of 1236 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 100 PID 2568 wrote to memory of 4896 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 101 PID 2568 wrote to memory of 4896 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 101 PID 2568 wrote to memory of 4896 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 101 PID 2568 wrote to memory of 4464 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 102 PID 2568 wrote to memory of 4464 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 102 PID 2568 wrote to memory of 4464 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 102 PID 2568 wrote to memory of 3652 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 103 PID 2568 wrote to memory of 3652 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 103 PID 2568 wrote to memory of 3652 2568 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 103 PID 3652 wrote to memory of 1860 3652 cmd.exe 108 PID 3652 wrote to memory of 1860 3652 cmd.exe 108 PID 3652 wrote to memory of 1860 3652 cmd.exe 108 PID 5020 wrote to memory of 1828 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 109 PID 5020 wrote to memory of 1828 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 109 PID 5020 wrote to memory of 1828 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 109 PID 5020 wrote to memory of 1332 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 111 PID 5020 wrote to memory of 1332 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 111 PID 5020 wrote to memory of 1332 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 111 PID 5020 wrote to memory of 1508 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 112 PID 5020 wrote to memory of 1508 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 112 PID 5020 wrote to memory of 1508 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 112 PID 5020 wrote to memory of 4920 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 113 PID 5020 wrote to memory of 4920 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 113 PID 5020 wrote to memory of 4920 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 113 PID 5020 wrote to memory of 4876 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 114 PID 5020 wrote to memory of 4876 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 114 PID 5020 wrote to memory of 4876 5020 2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe 114 PID 1828 wrote to memory of 4980 1828 cmd.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\qiogwggE\neAEYQQc.exe"C:\Users\Admin\qiogwggE\neAEYQQc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4272
-
-
C:\ProgramData\MmMwQwUc\gSgUIYkc.exe"C:\ProgramData\MmMwQwUc\gSgUIYkc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"8⤵PID:916
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"10⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"12⤵PID:4172
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"14⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock15⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"16⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"18⤵PID:1972
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"20⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"22⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"24⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"26⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"28⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"30⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock31⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"32⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock33⤵PID:4672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"34⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock35⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"36⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock37⤵PID:1508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"38⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock39⤵PID:2264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"40⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock41⤵PID:460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"42⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock43⤵PID:2472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"44⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock45⤵PID:1308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"46⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock47⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"48⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock49⤵PID:3824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"50⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock51⤵PID:1536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"52⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock53⤵PID:1816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"54⤵
- System Location Discovery: System Language Discovery
PID:4552 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock55⤵PID:1976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"56⤵
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock57⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"58⤵PID:4712
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock59⤵PID:2496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"60⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock61⤵PID:1312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"62⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock63⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"64⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock65⤵PID:4308
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"66⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock67⤵PID:2300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"68⤵PID:524
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock69⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"70⤵
- System Location Discovery: System Language Discovery
PID:804 -
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock71⤵PID:4548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"72⤵PID:4728
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock73⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"74⤵PID:4148
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock75⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"76⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock77⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"78⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock79⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"80⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock81⤵PID:5036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"82⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock83⤵PID:1848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"84⤵PID:232
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock85⤵PID:4732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"86⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock87⤵PID:1532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"88⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock89⤵PID:740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"90⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock91⤵
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"92⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock93⤵PID:1924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"94⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock95⤵PID:3164
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"96⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock97⤵PID:1052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"98⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock99⤵PID:3388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"100⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock101⤵PID:4792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"102⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock103⤵PID:4452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"104⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock105⤵PID:2952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"106⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock107⤵PID:4520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"108⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock109⤵PID:3196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"110⤵PID:1164
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1111⤵PID:4908
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock111⤵PID:4136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"112⤵PID:4640
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock113⤵PID:2856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"114⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock115⤵PID:4348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"116⤵PID:5068
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock117⤵PID:3420
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"118⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock119⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock"120⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-19_305450caaf5602c1b950bb8a29ccc76c_virlock121⤵PID:3996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-