Analysis
-
max time kernel
150s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
-
Size
116KB
-
MD5
70f0066d643916ed531583f3b3b6382c
-
SHA1
228f1fb78fd1f08078a4cfc30e61984f3ad9366d
-
SHA256
8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543
-
SHA512
1b86fdf50a8211b593e0f36071581fafe423c0282774acffbea402fcbc031dfc9aedc18bcbb1022d22df238c105b0634226df11bdf62e28afba7fa8cb95c39f0
-
SSDEEP
3072:SQ/05bi+3FB+ctk5FMfzCL9jJ7nbApb22PWvoK0:S2g1s2eY
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation byMMAYIQ.exe -
Executes dropped EXE 2 IoCs
pid Process 212 byMMAYIQ.exe 1180 HgswMIoE.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HgswMIoE.exe = "C:\\ProgramData\\ymAcoQcg\\HgswMIoE.exe" HgswMIoE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XgUoMIwY.exe = "C:\\Users\\Admin\\eoEEoQsU\\XgUoMIwY.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\huYAIEQg.exe = "C:\\ProgramData\\eOogQIgM\\huYAIEQg.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byMMAYIQ.exe = "C:\\Users\\Admin\\DKIsQIkE\\byMMAYIQ.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HgswMIoE.exe = "C:\\ProgramData\\ymAcoQcg\\HgswMIoE.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\byMMAYIQ.exe = "C:\\Users\\Admin\\DKIsQIkE\\byMMAYIQ.exe" byMMAYIQ.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe byMMAYIQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe byMMAYIQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2516 3360 WerFault.exe 346 4452 3008 WerFault.exe 345 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 636 reg.exe 4032 reg.exe 2592 reg.exe 2456 reg.exe 4820 reg.exe 3128 reg.exe 1712 reg.exe 4160 reg.exe 3572 reg.exe 3720 reg.exe 4668 reg.exe 4412 reg.exe 4216 reg.exe 344 reg.exe 4440 reg.exe 224 reg.exe 3968 reg.exe 3008 reg.exe 2520 reg.exe 4128 reg.exe 3864 reg.exe 2320 reg.exe 1584 reg.exe 4852 reg.exe 4216 reg.exe 1644 reg.exe 1060 reg.exe 1424 reg.exe 532 reg.exe 2288 reg.exe 1760 reg.exe 628 reg.exe 2376 reg.exe 3968 reg.exe 3544 reg.exe 2940 reg.exe 3232 reg.exe 5048 reg.exe 3508 reg.exe 4104 reg.exe 1640 reg.exe 4852 reg.exe 2280 reg.exe 3284 reg.exe 4352 reg.exe 948 reg.exe 3040 reg.exe 4972 reg.exe 964 reg.exe 2884 reg.exe 4424 reg.exe 756 reg.exe 2572 reg.exe 1752 reg.exe 3704 reg.exe 2660 reg.exe 4884 reg.exe 4916 reg.exe 2772 reg.exe 2148 reg.exe 2572 reg.exe 2600 reg.exe 1536 reg.exe 1732 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2288 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2288 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2288 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2288 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2660 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2660 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2660 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2660 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1816 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1816 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1816 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1816 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1512 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1512 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1512 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1512 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4788 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4788 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4788 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4788 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3088 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3088 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3088 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3088 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3872 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3872 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3872 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3872 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2628 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2628 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2628 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2628 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1304 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1304 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1304 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1304 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4016 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4016 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4016 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4016 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2864 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2864 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2864 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2864 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2556 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2556 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2556 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2556 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 4000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 212 byMMAYIQ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe 212 byMMAYIQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 212 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 86 PID 4780 wrote to memory of 212 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 86 PID 4780 wrote to memory of 212 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 86 PID 4780 wrote to memory of 1180 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 87 PID 4780 wrote to memory of 1180 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 87 PID 4780 wrote to memory of 1180 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 87 PID 4780 wrote to memory of 4000 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 88 PID 4780 wrote to memory of 4000 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 88 PID 4780 wrote to memory of 4000 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 88 PID 4000 wrote to memory of 1384 4000 cmd.exe 90 PID 4000 wrote to memory of 1384 4000 cmd.exe 90 PID 4000 wrote to memory of 1384 4000 cmd.exe 90 PID 4780 wrote to memory of 2960 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 91 PID 4780 wrote to memory of 2960 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 91 PID 4780 wrote to memory of 2960 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 91 PID 4780 wrote to memory of 704 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 92 PID 4780 wrote to memory of 704 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 92 PID 4780 wrote to memory of 704 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 92 PID 4780 wrote to memory of 3572 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 93 PID 4780 wrote to memory of 3572 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 93 PID 4780 wrote to memory of 3572 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 93 PID 4780 wrote to memory of 4536 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 94 PID 4780 wrote to memory of 4536 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 94 PID 4780 wrote to memory of 4536 4780 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 94 PID 4536 wrote to memory of 2972 4536 cmd.exe 99 PID 4536 wrote to memory of 2972 4536 cmd.exe 99 PID 4536 wrote to memory of 2972 4536 cmd.exe 99 PID 1384 wrote to memory of 2980 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 101 PID 1384 wrote to memory of 2980 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 101 PID 1384 wrote to memory of 2980 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 101 PID 2980 wrote to memory of 3008 2980 cmd.exe 103 PID 2980 wrote to memory of 3008 2980 cmd.exe 103 PID 2980 wrote to memory of 3008 2980 cmd.exe 103 PID 1384 wrote to memory of 632 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 104 PID 1384 wrote to memory of 632 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 104 PID 1384 wrote to memory of 632 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 104 PID 1384 wrote to memory of 4320 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 105 PID 1384 wrote to memory of 4320 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 105 PID 1384 wrote to memory of 4320 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 105 PID 1384 wrote to memory of 1584 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 106 PID 1384 wrote to memory of 1584 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 106 PID 1384 wrote to memory of 1584 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 106 PID 1384 wrote to memory of 4488 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 107 PID 1384 wrote to memory of 4488 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 107 PID 1384 wrote to memory of 4488 1384 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 107 PID 4488 wrote to memory of 3096 4488 cmd.exe 112 PID 4488 wrote to memory of 3096 4488 cmd.exe 112 PID 4488 wrote to memory of 3096 4488 cmd.exe 112 PID 3008 wrote to memory of 4068 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 113 PID 3008 wrote to memory of 4068 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 113 PID 3008 wrote to memory of 4068 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 113 PID 4068 wrote to memory of 2288 4068 cmd.exe 115 PID 4068 wrote to memory of 2288 4068 cmd.exe 115 PID 4068 wrote to memory of 2288 4068 cmd.exe 115 PID 3008 wrote to memory of 3128 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 116 PID 3008 wrote to memory of 3128 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 116 PID 3008 wrote to memory of 3128 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 116 PID 3008 wrote to memory of 1728 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 117 PID 3008 wrote to memory of 1728 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 117 PID 3008 wrote to memory of 1728 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 117 PID 3008 wrote to memory of 184 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 118 PID 3008 wrote to memory of 184 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 118 PID 3008 wrote to memory of 184 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 118 PID 3008 wrote to memory of 404 3008 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe"C:\Users\Admin\DKIsQIkE\byMMAYIQ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:212
-
-
C:\ProgramData\ymAcoQcg\HgswMIoE.exe"C:\ProgramData\ymAcoQcg\HgswMIoE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"8⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"10⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"12⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"14⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"16⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock17⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"18⤵PID:5100
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"20⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"22⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"24⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"26⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"28⤵PID:4408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵PID:3872
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"30⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"32⤵PID:184
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock33⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"34⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock35⤵PID:916
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"36⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock37⤵
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"38⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock39⤵PID:2620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"40⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock41⤵PID:1856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"42⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock43⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:224 -
C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe"C:\Users\Admin\eoEEoQsU\XgUoMIwY.exe"44⤵PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 22445⤵
- Program crash
PID:4452
-
-
-
C:\ProgramData\eOogQIgM\huYAIEQg.exe"C:\ProgramData\eOogQIgM\huYAIEQg.exe"44⤵PID:3360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 22445⤵
- Program crash
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"44⤵PID:2980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV145⤵PID:3244
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock45⤵
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"46⤵PID:1292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV147⤵PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock47⤵PID:2196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"48⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock49⤵PID:4160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"50⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock51⤵PID:2564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"52⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock53⤵PID:3124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"54⤵
- System Location Discovery: System Language Discovery
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock55⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"56⤵PID:220
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV157⤵PID:4684
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock57⤵PID:1396
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"58⤵PID:2180
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock59⤵PID:4480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"60⤵PID:4764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock61⤵
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"62⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock63⤵PID:1928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"64⤵PID:1304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock65⤵PID:3456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock67⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"68⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock69⤵PID:2148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"70⤵PID:2416
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock71⤵PID:3976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"72⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock73⤵
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"74⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock75⤵PID:4172
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"76⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock77⤵PID:388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"78⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock79⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"80⤵PID:4808
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock81⤵PID:4536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"82⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock83⤵PID:4740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"84⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock85⤵PID:3456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"86⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock87⤵PID:4244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"88⤵
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock89⤵PID:1560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"90⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock91⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"92⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock93⤵
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"94⤵PID:4748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV195⤵PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock95⤵PID:5100
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"96⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock97⤵PID:1616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"98⤵PID:4800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock99⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"100⤵PID:4268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:216
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock101⤵PID:1048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"102⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock103⤵
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"104⤵PID:4968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock105⤵PID:4488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"106⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock107⤵PID:2180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"108⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock109⤵PID:1392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"110⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock111⤵PID:4128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"112⤵PID:756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock113⤵PID:2132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"114⤵PID:556
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock115⤵PID:2148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"116⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock117⤵
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"118⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock119⤵PID:4820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"120⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock121⤵PID:4596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"122⤵PID:1844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-