Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 17:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe
-
Size
115KB
-
MD5
7909fc1d969d674fc5f4fc9fa08af28a
-
SHA1
68d75e5ae16ec716377c86c4e79be281d28d0274
-
SHA256
757e139e9d70d76499da424b9a2897ac4d4159b1cdf51a93ffaf1c21c015e3b5
-
SHA512
c1e62a56c0fe584a54b7b696b67205e0d62b3d59eaeccbdce6f2fdb3203e25478d94d6856808c557a948f237f90f3c47a0a958a7a26f6a025ab564bd74af28fe
-
SSDEEP
3072:2wipi3bX02dweqqZAzBrR2t0QKBW+M4t/:nUi3bX02dw1qZAzCt1+ft
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation cAMQoUAs.exe -
Executes dropped EXE 2 IoCs
pid Process 4052 cAMQoUAs.exe 4156 VaMwEgso.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAMQoUAs.exe = "C:\\Users\\Admin\\ockAcUMI\\cAMQoUAs.exe" 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VaMwEgso.exe = "C:\\ProgramData\\qAcsYMwY\\VaMwEgso.exe" 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cAMQoUAs.exe = "C:\\Users\\Admin\\ockAcUMI\\cAMQoUAs.exe" cAMQoUAs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VaMwEgso.exe = "C:\\ProgramData\\qAcsYMwY\\VaMwEgso.exe" VaMwEgso.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe cAMQoUAs.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe cAMQoUAs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2648 reg.exe 640 reg.exe 1044 reg.exe 3916 reg.exe 4956 reg.exe 2708 reg.exe 1004 reg.exe 2092 reg.exe 1012 reg.exe 4704 reg.exe 4660 reg.exe 1628 reg.exe 1616 reg.exe 944 reg.exe 3580 reg.exe 2880 reg.exe 4072 reg.exe 4788 reg.exe 3512 reg.exe 3888 reg.exe 3128 reg.exe 4956 reg.exe 3860 reg.exe 2044 reg.exe 2296 reg.exe 4392 reg.exe 2504 reg.exe 1748 reg.exe 3512 reg.exe 1216 reg.exe 4392 reg.exe 2688 reg.exe 868 reg.exe 4952 reg.exe 2504 reg.exe 3500 reg.exe 3272 reg.exe 4368 reg.exe 4880 reg.exe 2732 reg.exe 2612 reg.exe 2280 reg.exe 4204 reg.exe 3444 reg.exe 3708 reg.exe 5016 reg.exe 3492 reg.exe 3708 reg.exe 528 reg.exe 4716 reg.exe 3816 reg.exe 820 reg.exe 3948 reg.exe 4716 reg.exe 2388 reg.exe 2936 reg.exe 1912 reg.exe 4368 reg.exe 1076 reg.exe 4312 reg.exe 2976 reg.exe 2956 reg.exe 744 reg.exe 2248 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1384 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1384 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1384 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 1384 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3012 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3012 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3012 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3012 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4872 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4872 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4872 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4872 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4604 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4604 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4604 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4604 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 648 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 648 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 648 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 648 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3116 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3116 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3116 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3116 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 944 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 944 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 944 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 944 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3520 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3520 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3520 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 3520 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4464 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4464 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4464 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4464 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2220 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2220 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2220 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2220 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2296 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2296 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2296 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 2296 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4704 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4704 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4704 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 4704 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5048 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5048 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5048 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 5048 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4052 cAMQoUAs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe 4052 cAMQoUAs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 4052 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 85 PID 4676 wrote to memory of 4052 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 85 PID 4676 wrote to memory of 4052 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 85 PID 4676 wrote to memory of 4156 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 86 PID 4676 wrote to memory of 4156 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 86 PID 4676 wrote to memory of 4156 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 86 PID 4676 wrote to memory of 4936 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 87 PID 4676 wrote to memory of 4936 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 87 PID 4676 wrote to memory of 4936 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 87 PID 4676 wrote to memory of 1912 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 89 PID 4676 wrote to memory of 1912 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 89 PID 4676 wrote to memory of 1912 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 89 PID 4676 wrote to memory of 4832 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 90 PID 4676 wrote to memory of 4832 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 90 PID 4676 wrote to memory of 4832 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 90 PID 4676 wrote to memory of 3860 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 91 PID 4676 wrote to memory of 3860 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 91 PID 4676 wrote to memory of 3860 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 91 PID 4676 wrote to memory of 5052 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 92 PID 4676 wrote to memory of 5052 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 92 PID 4676 wrote to memory of 5052 4676 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 92 PID 4936 wrote to memory of 5108 4936 cmd.exe 97 PID 4936 wrote to memory of 5108 4936 cmd.exe 97 PID 4936 wrote to memory of 5108 4936 cmd.exe 97 PID 5052 wrote to memory of 1512 5052 cmd.exe 98 PID 5052 wrote to memory of 1512 5052 cmd.exe 98 PID 5052 wrote to memory of 1512 5052 cmd.exe 98 PID 5108 wrote to memory of 2412 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 99 PID 5108 wrote to memory of 2412 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 99 PID 5108 wrote to memory of 2412 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 99 PID 2412 wrote to memory of 1836 2412 cmd.exe 101 PID 2412 wrote to memory of 1836 2412 cmd.exe 101 PID 2412 wrote to memory of 1836 2412 cmd.exe 101 PID 5108 wrote to memory of 1772 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 102 PID 5108 wrote to memory of 1772 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 102 PID 5108 wrote to memory of 1772 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 102 PID 5108 wrote to memory of 336 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 103 PID 5108 wrote to memory of 336 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 103 PID 5108 wrote to memory of 336 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 103 PID 5108 wrote to memory of 2840 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 104 PID 5108 wrote to memory of 2840 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 104 PID 5108 wrote to memory of 2840 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 104 PID 5108 wrote to memory of 2480 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 105 PID 5108 wrote to memory of 2480 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 105 PID 5108 wrote to memory of 2480 5108 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 105 PID 2480 wrote to memory of 636 2480 cmd.exe 111 PID 2480 wrote to memory of 636 2480 cmd.exe 111 PID 2480 wrote to memory of 636 2480 cmd.exe 111 PID 1836 wrote to memory of 872 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 112 PID 1836 wrote to memory of 872 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 112 PID 1836 wrote to memory of 872 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 112 PID 872 wrote to memory of 1384 872 cmd.exe 114 PID 872 wrote to memory of 1384 872 cmd.exe 114 PID 872 wrote to memory of 1384 872 cmd.exe 114 PID 1836 wrote to memory of 4120 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 115 PID 1836 wrote to memory of 4120 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 115 PID 1836 wrote to memory of 4120 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 115 PID 1836 wrote to memory of 2956 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 116 PID 1836 wrote to memory of 2956 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 116 PID 1836 wrote to memory of 2956 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 116 PID 1836 wrote to memory of 3620 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 117 PID 1836 wrote to memory of 3620 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 117 PID 1836 wrote to memory of 3620 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 117 PID 1836 wrote to memory of 4952 1836 2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\ockAcUMI\cAMQoUAs.exe"C:\Users\Admin\ockAcUMI\cAMQoUAs.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4052
-
-
C:\ProgramData\qAcsYMwY\VaMwEgso.exe"C:\ProgramData\qAcsYMwY\VaMwEgso.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"8⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"10⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"12⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"14⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"16⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"18⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"20⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"22⤵
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"24⤵PID:764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"26⤵PID:3952
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"28⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"30⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"32⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock33⤵PID:3456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"34⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock35⤵PID:216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"36⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock37⤵PID:2304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"38⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock39⤵PID:676
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"40⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock41⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"42⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock43⤵PID:1044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"44⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock45⤵PID:4592
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"46⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock47⤵PID:3128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"48⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock49⤵PID:1448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"50⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock51⤵PID:3964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"52⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock53⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"54⤵PID:4252
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock55⤵PID:3268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"56⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock57⤵PID:3512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"58⤵PID:1608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV159⤵PID:4904
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock59⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"60⤵PID:2804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:3096
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock61⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"62⤵PID:2668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV163⤵PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock63⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"64⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock65⤵PID:636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"66⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock67⤵PID:4272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"68⤵PID:4144
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:3512
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock69⤵PID:4904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"70⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock71⤵PID:1428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"72⤵PID:1748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock73⤵PID:412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"74⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock75⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"76⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock77⤵PID:4072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"78⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock79⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"80⤵PID:2804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV181⤵PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock81⤵
- System Location Discovery: System Language Discovery
PID:5016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"82⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock83⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"84⤵
- System Location Discovery: System Language Discovery
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock85⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"86⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock87⤵PID:2612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"88⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock89⤵PID:1360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"90⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock91⤵PID:2992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"92⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock93⤵PID:4596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"94⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock95⤵PID:3896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV197⤵PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock97⤵PID:3448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"98⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock99⤵PID:772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"100⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock101⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"102⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock103⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"104⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock105⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"106⤵PID:3940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock107⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"108⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock109⤵PID:4880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"110⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock111⤵PID:3508
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"112⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock113⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"114⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock115⤵PID:1492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"116⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock117⤵PID:4136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"118⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock119⤵PID:4624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"120⤵PID:3832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1121⤵PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock121⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_7909fc1d969d674fc5f4fc9fa08af28a_virlock"122⤵PID:1012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-