Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 16:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe
-
Size
208KB
-
MD5
2f402c0cdceed59f7215a9f9d9396836
-
SHA1
9c2db00220feb1fb238c9702271e02f18fd2e0f5
-
SHA256
02a18fe83691b5a5d8cb9664bf45408ec425737c526455cf75db394659a8bfa0
-
SHA512
3b22eedecf62213fc9ade6f7ec98fe587392c0b2544a04a5668a241ddf716c18768f5d1d3361b20c9e8c0f85de518c9b7e0cf45b550817d0c9512defbabfb7c4
-
SSDEEP
3072:Dt9olq1YK/B+EdT9KxguX5upzMD4DuRO4Vgh8OBIRBinkyHL5O4zTzXk:zoqtsEdA68ux5g0BI6nkyrpznXk
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation wccUAgco.exe -
Executes dropped EXE 2 IoCs
pid Process 4772 aocsgcIg.exe 4488 wccUAgco.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aocsgcIg.exe = "C:\\Users\\Admin\\QCwQskck\\aocsgcIg.exe" 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wccUAgco.exe = "C:\\ProgramData\\lawcQYYY\\wccUAgco.exe" 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wccUAgco.exe = "C:\\ProgramData\\lawcQYYY\\wccUAgco.exe" wccUAgco.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aocsgcIg.exe = "C:\\Users\\Admin\\QCwQskck\\aocsgcIg.exe" aocsgcIg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe wccUAgco.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe wccUAgco.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 484 reg.exe 4992 reg.exe 4172 reg.exe 4884 reg.exe 4168 reg.exe 676 reg.exe 3932 reg.exe 3844 reg.exe 3984 reg.exe 4208 reg.exe 4908 reg.exe 748 reg.exe 1404 reg.exe 3056 reg.exe 4292 reg.exe 4208 reg.exe 1452 reg.exe 4496 reg.exe 5028 reg.exe 4176 reg.exe 1300 reg.exe 2368 reg.exe 4908 reg.exe 4988 reg.exe 1276 reg.exe 1808 reg.exe 4776 reg.exe 4604 reg.exe 1748 reg.exe 3208 reg.exe 2376 reg.exe 4008 reg.exe 4280 reg.exe 4480 reg.exe 4008 reg.exe 2900 reg.exe 4660 reg.exe 3848 reg.exe 3996 reg.exe 1760 reg.exe 2696 reg.exe 5020 reg.exe 5040 reg.exe 4088 reg.exe 4932 reg.exe 5060 reg.exe 1532 reg.exe 1784 reg.exe 4852 reg.exe 5016 reg.exe 5052 reg.exe 4540 reg.exe 2528 reg.exe 1720 reg.exe 2192 reg.exe 4260 reg.exe 112 reg.exe 4576 reg.exe 3760 reg.exe 5096 reg.exe 1964 reg.exe 4932 reg.exe 4056 reg.exe 4992 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1692 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1692 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1692 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1692 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1576 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1576 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1576 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1576 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3848 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3848 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3848 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3848 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2000 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2000 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2000 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2000 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3364 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3364 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3364 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3364 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 748 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 748 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 748 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 748 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4920 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4920 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4920 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 4920 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1056 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3440 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3440 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3440 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3440 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2416 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2416 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2416 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 2416 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3960 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3960 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3960 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 3960 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4488 wccUAgco.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe 4488 wccUAgco.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 4772 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 89 PID 1812 wrote to memory of 4772 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 89 PID 1812 wrote to memory of 4772 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 89 PID 1812 wrote to memory of 4488 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 90 PID 1812 wrote to memory of 4488 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 90 PID 1812 wrote to memory of 4488 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 90 PID 1812 wrote to memory of 1728 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 91 PID 1812 wrote to memory of 1728 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 91 PID 1812 wrote to memory of 1728 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 91 PID 1812 wrote to memory of 112 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 93 PID 1812 wrote to memory of 112 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 93 PID 1812 wrote to memory of 112 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 93 PID 1812 wrote to memory of 3896 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 94 PID 1812 wrote to memory of 3896 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 94 PID 1812 wrote to memory of 3896 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 94 PID 1812 wrote to memory of 984 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 95 PID 1812 wrote to memory of 984 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 95 PID 1812 wrote to memory of 984 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 95 PID 1812 wrote to memory of 3948 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 96 PID 1812 wrote to memory of 3948 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 96 PID 1812 wrote to memory of 3948 1812 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 96 PID 1728 wrote to memory of 4032 1728 cmd.exe 101 PID 1728 wrote to memory of 4032 1728 cmd.exe 101 PID 1728 wrote to memory of 4032 1728 cmd.exe 101 PID 3948 wrote to memory of 1152 3948 cmd.exe 102 PID 3948 wrote to memory of 1152 3948 cmd.exe 102 PID 3948 wrote to memory of 1152 3948 cmd.exe 102 PID 4032 wrote to memory of 4744 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 103 PID 4032 wrote to memory of 4744 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 103 PID 4032 wrote to memory of 4744 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 103 PID 4744 wrote to memory of 2816 4744 cmd.exe 105 PID 4744 wrote to memory of 2816 4744 cmd.exe 105 PID 4744 wrote to memory of 2816 4744 cmd.exe 105 PID 4032 wrote to memory of 3940 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 106 PID 4032 wrote to memory of 3940 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 106 PID 4032 wrote to memory of 3940 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 106 PID 4032 wrote to memory of 4292 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 107 PID 4032 wrote to memory of 4292 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 107 PID 4032 wrote to memory of 4292 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 107 PID 4032 wrote to memory of 4632 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 108 PID 4032 wrote to memory of 4632 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 108 PID 4032 wrote to memory of 4632 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 108 PID 4032 wrote to memory of 2388 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 109 PID 4032 wrote to memory of 2388 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 109 PID 4032 wrote to memory of 2388 4032 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 109 PID 2816 wrote to memory of 336 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 114 PID 2816 wrote to memory of 336 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 114 PID 2816 wrote to memory of 336 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 114 PID 2388 wrote to memory of 412 2388 cmd.exe 173 PID 2388 wrote to memory of 412 2388 cmd.exe 173 PID 2388 wrote to memory of 412 2388 cmd.exe 173 PID 336 wrote to memory of 1692 336 cmd.exe 117 PID 336 wrote to memory of 1692 336 cmd.exe 117 PID 336 wrote to memory of 1692 336 cmd.exe 117 PID 2816 wrote to memory of 2304 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 118 PID 2816 wrote to memory of 2304 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 118 PID 2816 wrote to memory of 2304 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 118 PID 2816 wrote to memory of 1408 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 119 PID 2816 wrote to memory of 1408 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 119 PID 2816 wrote to memory of 1408 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 119 PID 2816 wrote to memory of 4176 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 120 PID 2816 wrote to memory of 4176 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 120 PID 2816 wrote to memory of 4176 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 120 PID 2816 wrote to memory of 476 2816 2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe 182
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\QCwQskck\aocsgcIg.exe"C:\Users\Admin\QCwQskck\aocsgcIg.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4772
-
-
C:\ProgramData\lawcQYYY\wccUAgco.exe"C:\ProgramData\lawcQYYY\wccUAgco.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"8⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"10⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"12⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"14⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock15⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"16⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"18⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"20⤵PID:4580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"22⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"24⤵
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"26⤵
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"28⤵
- System Location Discovery: System Language Discovery
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"30⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock31⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"32⤵PID:2816
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock33⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"34⤵PID:264
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock35⤵PID:892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"36⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock37⤵PID:3996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"38⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock39⤵PID:1788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"40⤵PID:5064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock41⤵PID:2412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"42⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock43⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"44⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock45⤵PID:2580
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"46⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock47⤵PID:3084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"48⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock49⤵PID:3520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"50⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock51⤵PID:2540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"52⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock53⤵PID:3472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"54⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock55⤵PID:4148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"56⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock57⤵PID:3296
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"58⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock59⤵PID:4744
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"60⤵PID:2292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock61⤵PID:4496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"62⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock63⤵PID:676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"64⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock65⤵PID:2368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"66⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock67⤵PID:1848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"68⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock69⤵
- System Location Discovery: System Language Discovery
PID:4076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"70⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock71⤵PID:424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"72⤵PID:272
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock73⤵PID:3008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"74⤵PID:5028
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock75⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"76⤵PID:5092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV177⤵PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock77⤵
- System Location Discovery: System Language Discovery
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"78⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock79⤵PID:4844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"80⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock81⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"82⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock83⤵PID:2416
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"84⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock85⤵PID:1720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"86⤵PID:1224
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV187⤵PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock87⤵PID:1992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"88⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock89⤵PID:1584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"90⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock91⤵PID:3516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"92⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock93⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"94⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock95⤵PID:3560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock97⤵PID:1388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"98⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock99⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"100⤵PID:1460
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock101⤵PID:2360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"102⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock103⤵PID:4048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"104⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock105⤵PID:3440
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"106⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock107⤵PID:1300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"108⤵PID:1940
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock109⤵PID:1964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"110⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock111⤵PID:4496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"112⤵PID:272
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:364
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock113⤵PID:3088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"114⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock115⤵PID:2192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"116⤵PID:452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1117⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock117⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"118⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock119⤵PID:3056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock"120⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-14_2f402c0cdceed59f7215a9f9d9396836_virlock121⤵PID:5016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-