Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe
-
Size
229KB
-
MD5
287891c31c75c7a8b313b66742f4bb4e
-
SHA1
e93f66aeddacd31b596e39dca41dbb3ff140ba68
-
SHA256
8ebba18732ca21d3a0df3c5cad95cf867de57ee57a1898e82bdf25ab1865f23d
-
SHA512
7cd8359debca9232939eeb1a0ff60fd015c19e99b1688cf9b88fd399ae3e0c1ba4c9c21c77ad744f68c8f3c3e2d5915db9195c1aafb1b72855248d52e2675a2b
-
SSDEEP
3072:7+VqqIAJ7mLUUl1mDLEdQJBrTPO84J8LyTv3qfh3OiBQIJF4LInNo1ID2Hpm:yVqdspBrLO84J8Lyruh3OhtMNo1I6Jm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation aaEkAYcg.exe -
Executes dropped EXE 2 IoCs
pid Process 4536 xsgQoUEE.exe 1772 aaEkAYcg.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgQoUEE.exe = "C:\\Users\\Admin\\vysAIMoE\\xsgQoUEE.exe" xsgQoUEE.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xsgQoUEE.exe = "C:\\Users\\Admin\\vysAIMoE\\xsgQoUEE.exe" 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aaEkAYcg.exe = "C:\\ProgramData\\tUAIgIYI\\aaEkAYcg.exe" 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aaEkAYcg.exe = "C:\\ProgramData\\tUAIgIYI\\aaEkAYcg.exe" aaEkAYcg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe aaEkAYcg.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe aaEkAYcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1500 reg.exe 1600 reg.exe 2804 reg.exe 4460 reg.exe 3960 reg.exe 3708 reg.exe 2728 reg.exe 3352 reg.exe 3568 reg.exe 760 reg.exe 1232 reg.exe 1536 reg.exe 4320 reg.exe 728 reg.exe 3408 reg.exe 1984 reg.exe 1368 reg.exe 1936 reg.exe 1604 reg.exe 1840 Process not Found 5028 reg.exe 228 reg.exe 1704 reg.exe 1060 reg.exe 5104 reg.exe 3032 reg.exe 3568 reg.exe 3548 reg.exe 3524 reg.exe 4408 Process not Found 4968 reg.exe 1368 reg.exe 1280 reg.exe 748 reg.exe 980 reg.exe 4316 reg.exe 3820 reg.exe 1148 Process not Found 1232 reg.exe 1504 reg.exe 892 reg.exe 1960 reg.exe 4732 reg.exe 3252 reg.exe 4884 reg.exe 4636 reg.exe 3196 reg.exe 4072 reg.exe 2340 reg.exe 4692 reg.exe 3516 reg.exe 2388 reg.exe 1868 reg.exe 4432 reg.exe 5068 reg.exe 1692 reg.exe 1476 reg.exe 728 reg.exe 5072 reg.exe 4456 reg.exe 3492 reg.exe 3856 reg.exe 3952 reg.exe 776 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4824 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4824 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4824 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4824 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2020 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2020 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2020 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2020 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4704 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4704 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4704 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4704 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1628 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1628 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1628 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1628 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 408 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 408 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 408 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 408 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4016 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4016 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4016 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4016 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 844 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 844 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 844 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 844 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 180 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 180 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 180 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 180 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1212 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1212 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1212 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 1212 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 776 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 776 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 776 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 776 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3856 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3856 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3856 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 3856 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2140 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2140 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2140 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 2140 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4652 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4652 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4652 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 4652 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1772 aaEkAYcg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe 1772 aaEkAYcg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4552 wrote to memory of 4536 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 87 PID 4552 wrote to memory of 4536 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 87 PID 4552 wrote to memory of 4536 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 87 PID 4552 wrote to memory of 1772 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 88 PID 4552 wrote to memory of 1772 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 88 PID 4552 wrote to memory of 1772 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 88 PID 4552 wrote to memory of 1672 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 89 PID 4552 wrote to memory of 1672 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 89 PID 4552 wrote to memory of 1672 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 89 PID 4552 wrote to memory of 3952 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 91 PID 4552 wrote to memory of 3952 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 91 PID 4552 wrote to memory of 3952 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 91 PID 4552 wrote to memory of 3496 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 92 PID 4552 wrote to memory of 3496 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 92 PID 4552 wrote to memory of 3496 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 92 PID 4552 wrote to memory of 180 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 93 PID 4552 wrote to memory of 180 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 93 PID 4552 wrote to memory of 180 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 93 PID 4552 wrote to memory of 2116 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 94 PID 4552 wrote to memory of 2116 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 94 PID 4552 wrote to memory of 2116 4552 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 94 PID 1672 wrote to memory of 3524 1672 cmd.exe 99 PID 1672 wrote to memory of 3524 1672 cmd.exe 99 PID 1672 wrote to memory of 3524 1672 cmd.exe 99 PID 2116 wrote to memory of 1812 2116 cmd.exe 100 PID 2116 wrote to memory of 1812 2116 cmd.exe 100 PID 2116 wrote to memory of 1812 2116 cmd.exe 100 PID 3524 wrote to memory of 5060 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 101 PID 3524 wrote to memory of 5060 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 101 PID 3524 wrote to memory of 5060 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 101 PID 5060 wrote to memory of 1636 5060 cmd.exe 103 PID 5060 wrote to memory of 1636 5060 cmd.exe 103 PID 5060 wrote to memory of 1636 5060 cmd.exe 103 PID 3524 wrote to memory of 2500 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 104 PID 3524 wrote to memory of 2500 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 104 PID 3524 wrote to memory of 2500 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 104 PID 3524 wrote to memory of 1280 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 105 PID 3524 wrote to memory of 1280 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 105 PID 3524 wrote to memory of 1280 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 105 PID 3524 wrote to memory of 2804 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 106 PID 3524 wrote to memory of 2804 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 106 PID 3524 wrote to memory of 2804 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 106 PID 3524 wrote to memory of 1072 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 107 PID 3524 wrote to memory of 1072 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 107 PID 3524 wrote to memory of 1072 3524 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 107 PID 1072 wrote to memory of 3988 1072 cmd.exe 112 PID 1072 wrote to memory of 3988 1072 cmd.exe 112 PID 1072 wrote to memory of 3988 1072 cmd.exe 112 PID 1636 wrote to memory of 5012 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 113 PID 1636 wrote to memory of 5012 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 113 PID 1636 wrote to memory of 5012 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 113 PID 1636 wrote to memory of 1944 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 115 PID 1636 wrote to memory of 1944 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 115 PID 1636 wrote to memory of 1944 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 115 PID 1636 wrote to memory of 3240 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 116 PID 1636 wrote to memory of 3240 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 116 PID 1636 wrote to memory of 3240 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 116 PID 1636 wrote to memory of 3276 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 117 PID 1636 wrote to memory of 3276 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 117 PID 1636 wrote to memory of 3276 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 117 PID 1636 wrote to memory of 1460 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 119 PID 1636 wrote to memory of 1460 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 119 PID 1636 wrote to memory of 1460 1636 2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe 119 PID 5012 wrote to memory of 4824 5012 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Users\Admin\vysAIMoE\xsgQoUEE.exe"C:\Users\Admin\vysAIMoE\xsgQoUEE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4536
-
-
C:\ProgramData\tUAIgIYI\aaEkAYcg.exe"C:\ProgramData\tUAIgIYI\aaEkAYcg.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"8⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"10⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"12⤵PID:4140
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"14⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"16⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"18⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"20⤵PID:4956
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"22⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"24⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"26⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"28⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"30⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"32⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock33⤵PID:760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"34⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock35⤵PID:2528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"36⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock37⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"38⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock39⤵PID:4964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"40⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock41⤵PID:4556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"42⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock43⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"44⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock45⤵PID:1852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"46⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock47⤵PID:180
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"48⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock49⤵PID:1008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"50⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock51⤵PID:5084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"52⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock53⤵PID:2668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"54⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock55⤵PID:3492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"56⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock57⤵PID:372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"58⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock59⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"60⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock61⤵PID:4788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"62⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock63⤵PID:4888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"64⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock65⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"66⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock67⤵PID:2472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"68⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock69⤵PID:3132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"70⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock71⤵PID:60
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"72⤵PID:2160
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock73⤵PID:1692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"74⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock75⤵PID:2496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"76⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock77⤵PID:3576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"78⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock79⤵PID:4768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"80⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock81⤵PID:3524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"82⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock83⤵PID:2160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"84⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock85⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"86⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock87⤵PID:5068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"88⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock89⤵PID:3160
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"90⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock91⤵PID:60
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"92⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock93⤵PID:1520
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"94⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock95⤵
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"96⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock97⤵PID:976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"98⤵PID:1904
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock99⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"100⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock101⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"102⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock103⤵PID:468
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"104⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock105⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"106⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock107⤵PID:1932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"108⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock109⤵PID:1140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"110⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock111⤵PID:1388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"112⤵PID:4680
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock113⤵
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"114⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock115⤵PID:1280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"116⤵PID:4980
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock117⤵PID:788
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"118⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock119⤵PID:3900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"120⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock121⤵PID:4664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-20_287891c31c75c7a8b313b66742f4bb4e_virlock"122⤵PID:5076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-