Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe
-
Size
115KB
-
MD5
1ece96646e9b993df4996b2e0dc01d9d
-
SHA1
6c626a083086ab62690daab3d42b7c92e4759819
-
SHA256
ee88a2e13047ff2d4546c4f160be8784b5c8cf8d86c2e026b3adf102a8515f3a
-
SHA512
860a2cda975536f5d06e541ea96a87e26658978b21a27609f70b859240963cb07eeb4a8b97b92ff8faa14c39498aeb6a0943e131af4b057a0a3bb52536b6801c
-
SSDEEP
3072:dbbHa0cwgv2kynG58i+kYbPTVKEjeDnhdI+:1HpZVnGhYVKPhd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation tSooIYUQ.exe -
Executes dropped EXE 2 IoCs
pid Process 2472 tSooIYUQ.exe 1848 sckQMYAE.exe -
Loads dropped DLL 20 IoCs
pid Process 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tSooIYUQ.exe = "C:\\Users\\Admin\\WOsEgwog\\tSooIYUQ.exe" 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sckQMYAE.exe = "C:\\ProgramData\\kGYoYwAI\\sckQMYAE.exe" 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\tSooIYUQ.exe = "C:\\Users\\Admin\\WOsEgwog\\tSooIYUQ.exe" tSooIYUQ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sckQMYAE.exe = "C:\\ProgramData\\kGYoYwAI\\sckQMYAE.exe" sckQMYAE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1868 reg.exe 3040 reg.exe 2548 reg.exe 2844 reg.exe 2700 reg.exe 2080 reg.exe 1700 reg.exe 756 reg.exe 1780 reg.exe 2716 reg.exe 1432 reg.exe 696 reg.exe 2400 reg.exe 1100 reg.exe 1712 reg.exe 1816 reg.exe 2712 reg.exe 2636 reg.exe 2416 reg.exe 3052 reg.exe 1772 reg.exe 1432 reg.exe 2896 reg.exe 1824 reg.exe 2768 reg.exe 1444 reg.exe 2556 reg.exe 992 reg.exe 1352 reg.exe 1816 reg.exe 2932 reg.exe 2028 reg.exe 644 reg.exe 2056 reg.exe 644 reg.exe 2772 reg.exe 1912 reg.exe 376 reg.exe 756 reg.exe 1092 reg.exe 2340 reg.exe 1564 reg.exe 1008 reg.exe 1100 reg.exe 2844 reg.exe 264 reg.exe 2932 reg.exe 2560 reg.exe 2556 reg.exe 2136 reg.exe 2608 reg.exe 1008 reg.exe 1768 reg.exe 2692 reg.exe 1100 reg.exe 2284 reg.exe 2416 reg.exe 2036 reg.exe 644 reg.exe 1492 reg.exe 2928 reg.exe 2620 reg.exe 2932 reg.exe 2640 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2716 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2716 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2908 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2908 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1816 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1816 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1380 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1380 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 544 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 544 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2804 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2804 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1492 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1492 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2040 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2040 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2948 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2948 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 3040 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 3040 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2832 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2832 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2432 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2432 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2756 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2756 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 964 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 964 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1968 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1968 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2836 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2836 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2708 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2708 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1036 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1036 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1672 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1672 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2668 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2668 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2888 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2888 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1928 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1928 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2764 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2764 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1632 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1632 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 348 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 348 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2432 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2432 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1088 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 1088 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 3024 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 3024 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2160 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 2160 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2472 tSooIYUQ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe 2472 tSooIYUQ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2472 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 31 PID 1320 wrote to memory of 2472 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 31 PID 1320 wrote to memory of 2472 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 31 PID 1320 wrote to memory of 2472 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 31 PID 1320 wrote to memory of 1848 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 32 PID 1320 wrote to memory of 1848 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 32 PID 1320 wrote to memory of 1848 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 32 PID 1320 wrote to memory of 1848 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 32 PID 1320 wrote to memory of 2132 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 33 PID 1320 wrote to memory of 2132 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 33 PID 1320 wrote to memory of 2132 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 33 PID 1320 wrote to memory of 2132 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 33 PID 2132 wrote to memory of 812 2132 cmd.exe 35 PID 2132 wrote to memory of 812 2132 cmd.exe 35 PID 2132 wrote to memory of 812 2132 cmd.exe 35 PID 2132 wrote to memory of 812 2132 cmd.exe 35 PID 1320 wrote to memory of 2692 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 36 PID 1320 wrote to memory of 2692 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 36 PID 1320 wrote to memory of 2692 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 36 PID 1320 wrote to memory of 2692 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 36 PID 1320 wrote to memory of 2804 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 37 PID 1320 wrote to memory of 2804 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 37 PID 1320 wrote to memory of 2804 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 37 PID 1320 wrote to memory of 2804 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 37 PID 1320 wrote to memory of 2820 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 38 PID 1320 wrote to memory of 2820 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 38 PID 1320 wrote to memory of 2820 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 38 PID 1320 wrote to memory of 2820 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 38 PID 1320 wrote to memory of 2680 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 40 PID 1320 wrote to memory of 2680 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 40 PID 1320 wrote to memory of 2680 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 40 PID 1320 wrote to memory of 2680 1320 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 40 PID 2680 wrote to memory of 2880 2680 cmd.exe 44 PID 2680 wrote to memory of 2880 2680 cmd.exe 44 PID 2680 wrote to memory of 2880 2680 cmd.exe 44 PID 2680 wrote to memory of 2880 2680 cmd.exe 44 PID 812 wrote to memory of 2612 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 45 PID 812 wrote to memory of 2612 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 45 PID 812 wrote to memory of 2612 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 45 PID 812 wrote to memory of 2612 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 45 PID 2612 wrote to memory of 2716 2612 cmd.exe 47 PID 2612 wrote to memory of 2716 2612 cmd.exe 47 PID 2612 wrote to memory of 2716 2612 cmd.exe 47 PID 2612 wrote to memory of 2716 2612 cmd.exe 47 PID 812 wrote to memory of 2416 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 48 PID 812 wrote to memory of 2416 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 48 PID 812 wrote to memory of 2416 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 48 PID 812 wrote to memory of 2416 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 48 PID 812 wrote to memory of 2104 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 49 PID 812 wrote to memory of 2104 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 49 PID 812 wrote to memory of 2104 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 49 PID 812 wrote to memory of 2104 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 49 PID 812 wrote to memory of 1492 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 50 PID 812 wrote to memory of 1492 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 50 PID 812 wrote to memory of 1492 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 50 PID 812 wrote to memory of 1492 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 50 PID 812 wrote to memory of 1368 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 52 PID 812 wrote to memory of 1368 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 52 PID 812 wrote to memory of 1368 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 52 PID 812 wrote to memory of 1368 812 2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe 52 PID 1368 wrote to memory of 2044 1368 cmd.exe 56 PID 1368 wrote to memory of 2044 1368 cmd.exe 56 PID 1368 wrote to memory of 2044 1368 cmd.exe 56 PID 1368 wrote to memory of 2044 1368 cmd.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\WOsEgwog\tSooIYUQ.exe"C:\Users\Admin\WOsEgwog\tSooIYUQ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2472
-
-
C:\ProgramData\kGYoYwAI\sckQMYAE.exe"C:\ProgramData\kGYoYwAI\sckQMYAE.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1848
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"6⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"8⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"10⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"12⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:544 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"14⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"16⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"18⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"20⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"22⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"24⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"26⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"28⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"30⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:964 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"32⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"34⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock35⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"36⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"38⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock39⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2708 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"40⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"42⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1672 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"44⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"46⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"48⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"50⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"52⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"54⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:348 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"56⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"58⤵
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"60⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock61⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3024 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"62⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"64⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock65⤵PID:1816
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"66⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock67⤵PID:1336
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"68⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock69⤵PID:2084
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"70⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock71⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"72⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock73⤵PID:924
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"74⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock75⤵PID:1368
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"76⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock77⤵PID:3044
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"78⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock79⤵PID:1320
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"80⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock81⤵PID:924
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"82⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock83⤵PID:3008
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"84⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock85⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"86⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock87⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"88⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock89⤵PID:2624
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"90⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock91⤵PID:2484
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"92⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock93⤵PID:824
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"94⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock95⤵PID:1352
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"96⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock97⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"98⤵PID:336
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock99⤵PID:1860
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"100⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock101⤵PID:2852
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"102⤵PID:1932
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock103⤵PID:2376
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"104⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock105⤵PID:376
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"106⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock107⤵PID:856
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"108⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock109⤵PID:2604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"110⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock111⤵PID:1644
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"112⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock113⤵PID:2380
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"114⤵PID:1580
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock115⤵PID:2044
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"116⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock117⤵PID:2588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"118⤵PID:572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock119⤵PID:1648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"120⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock121⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_1ece96646e9b993df4996b2e0dc01d9d_virlock"122⤵PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-