Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
-
Size
118KB
-
MD5
055739f5184aeb744d73e3c90ec60b08
-
SHA1
387406f6e090203196f15790213a30a866de0d66
-
SHA256
edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4
-
SHA512
024156300f6da1a5252e5e24ae53fa29f5325fc68bddf23df3a4a6c2b4a002c7f2e8095150b16aa86b53071afb0d31ffa14d0d687c4d7f890d2d07cb7e46fb2c
-
SSDEEP
3072:dMQNPkEOmieES3pc0bRYsrlUBJP+XXenuqasd:dnOmzES3xbRLl2+yuqzd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ZssoEgYQ.exe -
Executes dropped EXE 2 IoCs
pid Process 1176 ZssoEgYQ.exe 4224 SmYYccsc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZssoEgYQ.exe = "C:\\Users\\Admin\\rEgYoYQc\\ZssoEgYQ.exe" ZssoEgYQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmYYccsc.exe = "C:\\ProgramData\\AykcUkwA\\SmYYccsc.exe" SmYYccsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZssoEgYQ.exe = "C:\\Users\\Admin\\rEgYoYQc\\ZssoEgYQ.exe" 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SmYYccsc.exe = "C:\\ProgramData\\AykcUkwA\\SmYYccsc.exe" 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe ZssoEgYQ.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe ZssoEgYQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2256 reg.exe 3784 reg.exe 2888 reg.exe 884 reg.exe 4724 reg.exe 4992 reg.exe 4724 reg.exe 5040 reg.exe 4112 reg.exe 4688 reg.exe 3144 reg.exe 1392 reg.exe 1640 reg.exe 1164 reg.exe 3256 reg.exe 1972 reg.exe 1528 reg.exe 2504 reg.exe 1684 reg.exe 4668 reg.exe 3724 reg.exe 3236 reg.exe 2896 reg.exe 4832 reg.exe 4516 reg.exe 3432 reg.exe 1588 reg.exe 4848 reg.exe 2516 reg.exe 3104 reg.exe 2844 reg.exe 2888 reg.exe 4540 reg.exe 4712 reg.exe 4488 reg.exe 2552 reg.exe 1972 reg.exe 5060 reg.exe 4328 reg.exe 4996 reg.exe 4192 reg.exe 4928 reg.exe 4428 reg.exe 3316 reg.exe 1564 reg.exe 1164 reg.exe 2412 reg.exe 920 reg.exe 4536 reg.exe 4236 reg.exe 1376 reg.exe 5008 reg.exe 2240 reg.exe 2468 reg.exe 3164 reg.exe 2820 reg.exe 1588 reg.exe 2024 reg.exe 1056 reg.exe 1868 reg.exe 2544 reg.exe 1768 reg.exe 4724 reg.exe 4960 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1136 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1136 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1136 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1136 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4000 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4000 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4000 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4000 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 944 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 944 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 944 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 944 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2392 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2392 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2392 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2392 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3968 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3968 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3968 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 3968 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2816 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2816 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2816 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2816 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2284 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2460 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2460 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2460 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2460 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2180 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2180 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2180 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2180 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2428 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2428 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2428 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2428 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4668 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4668 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4668 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4668 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1176 ZssoEgYQ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe 1176 ZssoEgYQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 1176 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 86 PID 2264 wrote to memory of 1176 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 86 PID 2264 wrote to memory of 1176 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 86 PID 2264 wrote to memory of 4224 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 87 PID 2264 wrote to memory of 4224 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 87 PID 2264 wrote to memory of 4224 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 87 PID 2264 wrote to memory of 1928 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 88 PID 2264 wrote to memory of 1928 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 88 PID 2264 wrote to memory of 1928 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 88 PID 1928 wrote to memory of 3292 1928 cmd.exe 91 PID 1928 wrote to memory of 3292 1928 cmd.exe 91 PID 1928 wrote to memory of 3292 1928 cmd.exe 91 PID 2264 wrote to memory of 780 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 92 PID 2264 wrote to memory of 780 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 92 PID 2264 wrote to memory of 780 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 92 PID 2264 wrote to memory of 4960 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 93 PID 2264 wrote to memory of 4960 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 93 PID 2264 wrote to memory of 4960 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 93 PID 2264 wrote to memory of 412 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 94 PID 2264 wrote to memory of 412 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 94 PID 2264 wrote to memory of 412 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 94 PID 2264 wrote to memory of 1816 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 95 PID 2264 wrote to memory of 1816 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 95 PID 2264 wrote to memory of 1816 2264 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 95 PID 1816 wrote to memory of 956 1816 cmd.exe 100 PID 1816 wrote to memory of 956 1816 cmd.exe 100 PID 1816 wrote to memory of 956 1816 cmd.exe 100 PID 3292 wrote to memory of 4104 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 101 PID 3292 wrote to memory of 4104 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 101 PID 3292 wrote to memory of 4104 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 101 PID 4104 wrote to memory of 972 4104 cmd.exe 103 PID 4104 wrote to memory of 972 4104 cmd.exe 103 PID 4104 wrote to memory of 972 4104 cmd.exe 103 PID 3292 wrote to memory of 1052 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 104 PID 3292 wrote to memory of 1052 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 104 PID 3292 wrote to memory of 1052 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 104 PID 3292 wrote to memory of 4504 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 105 PID 3292 wrote to memory of 4504 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 105 PID 3292 wrote to memory of 4504 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 105 PID 3292 wrote to memory of 3548 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 106 PID 3292 wrote to memory of 3548 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 106 PID 3292 wrote to memory of 3548 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 106 PID 3292 wrote to memory of 4476 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 107 PID 3292 wrote to memory of 4476 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 107 PID 3292 wrote to memory of 4476 3292 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 107 PID 4476 wrote to memory of 3792 4476 cmd.exe 112 PID 4476 wrote to memory of 3792 4476 cmd.exe 112 PID 4476 wrote to memory of 3792 4476 cmd.exe 112 PID 972 wrote to memory of 4124 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 113 PID 972 wrote to memory of 4124 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 113 PID 972 wrote to memory of 4124 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 113 PID 4124 wrote to memory of 1136 4124 cmd.exe 115 PID 4124 wrote to memory of 1136 4124 cmd.exe 115 PID 4124 wrote to memory of 1136 4124 cmd.exe 115 PID 972 wrote to memory of 1868 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 116 PID 972 wrote to memory of 1868 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 116 PID 972 wrote to memory of 1868 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 116 PID 972 wrote to memory of 4384 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 117 PID 972 wrote to memory of 4384 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 117 PID 972 wrote to memory of 4384 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 117 PID 972 wrote to memory of 4936 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 118 PID 972 wrote to memory of 4936 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 118 PID 972 wrote to memory of 4936 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 118 PID 972 wrote to memory of 3956 972 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe"C:\Users\Admin\rEgYoYQc\ZssoEgYQ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1176
-
-
C:\ProgramData\AykcUkwA\SmYYccsc.exe"C:\ProgramData\AykcUkwA\SmYYccsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"8⤵PID:4192
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock9⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"10⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"12⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"14⤵PID:2544
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"16⤵PID:4136
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"18⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"20⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"22⤵PID:3928
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"24⤵
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"26⤵PID:4676
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"28⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"30⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"32⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock33⤵PID:4896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"34⤵PID:5112
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock35⤵PID:4968
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"36⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock37⤵PID:5096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"38⤵PID:5092
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock39⤵PID:3484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"40⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock41⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"42⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock43⤵PID:4256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"44⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock45⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"46⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock47⤵PID:944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"48⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock49⤵PID:2264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"50⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock51⤵PID:4136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"52⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock53⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"54⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock55⤵PID:4460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"56⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock57⤵PID:2196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"58⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock59⤵PID:1052
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"60⤵PID:448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV161⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock61⤵PID:1404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"62⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock63⤵PID:1532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"64⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock65⤵PID:1056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"66⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock67⤵PID:3908
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"68⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock69⤵PID:4556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"70⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock71⤵
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"72⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock73⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"74⤵PID:1844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock75⤵PID:1128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"76⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock77⤵PID:2388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"78⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock79⤵PID:1532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"80⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock81⤵PID:3756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"82⤵
- System Location Discovery: System Language Discovery
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock83⤵PID:2284
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"84⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock85⤵PID:1536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"86⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock87⤵PID:4988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"88⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock89⤵PID:4356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"90⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock91⤵PID:4472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"92⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock93⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"94⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock95⤵PID:4576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock97⤵PID:3292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"98⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock99⤵PID:1632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"100⤵PID:3784
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock101⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"102⤵
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock103⤵PID:3452
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"104⤵PID:4016
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock105⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"106⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock107⤵PID:4028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"108⤵PID:884
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock109⤵PID:4104
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"110⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock111⤵PID:3856
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"112⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock113⤵PID:380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"114⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock115⤵PID:2624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"116⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock117⤵PID:3536
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"118⤵PID:984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock119⤵PID:3032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"120⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock121⤵PID:4412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"122⤵PID:372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-