Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 10:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe
-
Size
121KB
-
MD5
24ac9c6e989b5d7624e35a161746b213
-
SHA1
ac3e10b9bcb9b5c7f6e7e3eb3d3051e6bf02f873
-
SHA256
0abc2028782c87618854f9c04218ec5f60f579bd9c3fb1882f268f1b19b35c5a
-
SHA512
10582c1b96193d4833fe8eaaf8166ea43b646a08f7c6303dddcdd298e774bdfb663c6e581eb9a54dd984b096b8f2695db34b5bf0123c2633967d9cd82e38df14
-
SSDEEP
1536:CV+YuVqHH7RBxtM9pJmbw+uLszXn6hbRhWjYxUWvUgea4nnF6wRohw3r:E+YGSHJtUV+uozXM6lnF6a3r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\Geo\Nation kKEQgEcI.exe -
Deletes itself 1 IoCs
pid Process 1000 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2700 kKEQgEcI.exe 2908 rcAMAYQU.exe -
Loads dropped DLL 20 IoCs
pid Process 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kKEQgEcI.exe = "C:\\Users\\Admin\\VikscAYM\\kKEQgEcI.exe" 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rcAMAYQU.exe = "C:\\ProgramData\\SiQskQgo\\rcAMAYQU.exe" 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\kKEQgEcI.exe = "C:\\Users\\Admin\\VikscAYM\\kKEQgEcI.exe" kKEQgEcI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rcAMAYQU.exe = "C:\\ProgramData\\SiQskQgo\\rcAMAYQU.exe" rcAMAYQU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kKEQgEcI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 816 reg.exe 2112 reg.exe 1800 reg.exe 1552 reg.exe 600 reg.exe 1804 reg.exe 2352 reg.exe 2628 reg.exe 2604 reg.exe 2432 reg.exe 2688 reg.exe 2508 reg.exe 2540 reg.exe 2648 reg.exe 2452 reg.exe 1804 reg.exe 1748 reg.exe 1804 reg.exe 1748 reg.exe 2796 reg.exe 1520 reg.exe 1848 reg.exe 3064 reg.exe 1596 reg.exe 2444 reg.exe 2268 reg.exe 2384 reg.exe 320 reg.exe 1312 reg.exe 1656 reg.exe 2456 reg.exe 2548 reg.exe 2600 reg.exe 2352 reg.exe 2264 reg.exe 636 reg.exe 1804 reg.exe 3048 reg.exe 2804 reg.exe 1760 reg.exe 296 reg.exe 2348 reg.exe 448 reg.exe 1464 reg.exe 2632 reg.exe 1556 reg.exe 1520 reg.exe 2608 reg.exe 2640 reg.exe 552 reg.exe 2588 reg.exe 2436 reg.exe 1468 reg.exe 2956 reg.exe 2476 reg.exe 1696 reg.exe 896 reg.exe 1888 reg.exe 2432 reg.exe 1244 reg.exe 1676 reg.exe 3012 reg.exe 2640 reg.exe 2004 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2688 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2688 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 916 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 916 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1196 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1196 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2516 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2516 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2732 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2732 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2176 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2176 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1084 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1084 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1052 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1052 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2488 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2488 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 996 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 996 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2716 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2716 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1584 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1584 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 844 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 844 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2456 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2456 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 636 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 636 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 948 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 948 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1720 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1720 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2548 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2548 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2312 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2312 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2068 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2068 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2884 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2884 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1004 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 1004 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2832 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2832 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2948 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2948 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2312 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2312 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2544 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2544 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2520 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2520 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 988 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 988 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2616 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2616 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2292 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 2292 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2700 kKEQgEcI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe 2700 kKEQgEcI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 2700 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 30 PID 1580 wrote to memory of 2700 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 30 PID 1580 wrote to memory of 2700 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 30 PID 1580 wrote to memory of 2700 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 30 PID 1580 wrote to memory of 2908 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 31 PID 1580 wrote to memory of 2908 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 31 PID 1580 wrote to memory of 2908 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 31 PID 1580 wrote to memory of 2908 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 31 PID 1580 wrote to memory of 2708 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 32 PID 1580 wrote to memory of 2708 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 32 PID 1580 wrote to memory of 2708 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 32 PID 1580 wrote to memory of 2708 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 32 PID 2708 wrote to memory of 2952 2708 cmd.exe 34 PID 2708 wrote to memory of 2952 2708 cmd.exe 34 PID 2708 wrote to memory of 2952 2708 cmd.exe 34 PID 2708 wrote to memory of 2952 2708 cmd.exe 34 PID 1580 wrote to memory of 3064 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 35 PID 1580 wrote to memory of 3064 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 35 PID 1580 wrote to memory of 3064 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 35 PID 1580 wrote to memory of 3064 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 35 PID 1580 wrote to memory of 2728 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 36 PID 1580 wrote to memory of 2728 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 36 PID 1580 wrote to memory of 2728 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 36 PID 1580 wrote to memory of 2728 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 36 PID 1580 wrote to memory of 2760 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 37 PID 1580 wrote to memory of 2760 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 37 PID 1580 wrote to memory of 2760 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 37 PID 1580 wrote to memory of 2760 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 37 PID 1580 wrote to memory of 2584 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 38 PID 1580 wrote to memory of 2584 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 38 PID 1580 wrote to memory of 2584 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 38 PID 1580 wrote to memory of 2584 1580 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 38 PID 2584 wrote to memory of 3056 2584 cmd.exe 43 PID 2584 wrote to memory of 3056 2584 cmd.exe 43 PID 2584 wrote to memory of 3056 2584 cmd.exe 43 PID 2584 wrote to memory of 3056 2584 cmd.exe 43 PID 2952 wrote to memory of 748 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 44 PID 2952 wrote to memory of 748 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 44 PID 2952 wrote to memory of 748 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 44 PID 2952 wrote to memory of 748 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 44 PID 748 wrote to memory of 2688 748 cmd.exe 46 PID 748 wrote to memory of 2688 748 cmd.exe 46 PID 748 wrote to memory of 2688 748 cmd.exe 46 PID 748 wrote to memory of 2688 748 cmd.exe 46 PID 2952 wrote to memory of 816 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 47 PID 2952 wrote to memory of 816 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 47 PID 2952 wrote to memory of 816 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 47 PID 2952 wrote to memory of 816 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 47 PID 2952 wrote to memory of 2576 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 48 PID 2952 wrote to memory of 2576 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 48 PID 2952 wrote to memory of 2576 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 48 PID 2952 wrote to memory of 2576 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 48 PID 2952 wrote to memory of 1912 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 50 PID 2952 wrote to memory of 1912 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 50 PID 2952 wrote to memory of 1912 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 50 PID 2952 wrote to memory of 1912 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 50 PID 2952 wrote to memory of 2552 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 52 PID 2952 wrote to memory of 2552 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 52 PID 2952 wrote to memory of 2552 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 52 PID 2952 wrote to memory of 2552 2952 2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe 52 PID 2552 wrote to memory of 2084 2552 cmd.exe 55 PID 2552 wrote to memory of 2084 2552 cmd.exe 55 PID 2552 wrote to memory of 2084 2552 cmd.exe 55 PID 2552 wrote to memory of 2084 2552 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\VikscAYM\kKEQgEcI.exe"C:\Users\Admin\VikscAYM\kKEQgEcI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2700
-
-
C:\ProgramData\SiQskQgo\rcAMAYQU.exe"C:\ProgramData\SiQskQgo\rcAMAYQU.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2908
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"6⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:916 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"8⤵PID:1752
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1196 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"10⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"12⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"14⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"16⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"20⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2488 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"22⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"24⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"26⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"28⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock29⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:844 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"30⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"32⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:636 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"34⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:948 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"36⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"38⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock39⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"40⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"42⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"44⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"46⤵PID:340
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"48⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock49⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"50⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"52⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"54⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"56⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"58⤵
- System Location Discovery: System Language Discovery
PID:652 -
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"60⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"62⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"64⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock65⤵PID:1224
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"66⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock67⤵PID:748
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"68⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock69⤵PID:2544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"70⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock71⤵PID:2736
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"72⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock73⤵PID:1872
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"74⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock75⤵PID:2436
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"76⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock77⤵PID:340
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"78⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock79⤵
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"80⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock81⤵PID:2556
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"82⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock83⤵PID:684
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"84⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock85⤵PID:2840
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"86⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock87⤵PID:1656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"88⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock89⤵PID:1312
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"90⤵PID:560
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock91⤵PID:804
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"92⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock93⤵PID:2056
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"94⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock95⤵PID:596
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"96⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock97⤵PID:536
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"98⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock99⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"100⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock101⤵PID:2628
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"102⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock103⤵PID:1740
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"104⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock105⤵PID:844
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"106⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock107⤵PID:916
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"108⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock109⤵PID:1888
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"110⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock111⤵PID:764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"112⤵PID:2752
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock113⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"114⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock115⤵PID:804
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"116⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock117⤵PID:2400
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"118⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock119⤵PID:3056
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock"120⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_24ac9c6e989b5d7624e35a161746b213_virlock121⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-