Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe
-
Size
118KB
-
MD5
055739f5184aeb744d73e3c90ec60b08
-
SHA1
387406f6e090203196f15790213a30a866de0d66
-
SHA256
edc6d589a66d3457c04eb7e5ec5d4ded396a78417a81fa307abc434306d709e4
-
SHA512
024156300f6da1a5252e5e24ae53fa29f5325fc68bddf23df3a4a6c2b4a002c7f2e8095150b16aa86b53071afb0d31ffa14d0d687c4d7f890d2d07cb7e46fb2c
-
SSDEEP
3072:dMQNPkEOmieES3pc0bRYsrlUBJP+XXenuqasd:dnOmzES3xbRLl2+yuqzd
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation YaEkQMMc.exe -
Executes dropped EXE 2 IoCs
pid Process 4480 PAsIAQAo.exe 4248 YaEkQMMc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAsIAQAo.exe = "C:\\Users\\Admin\\uYUEQgAc\\PAsIAQAo.exe" 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaEkQMMc.exe = "C:\\ProgramData\\wAMUwYYE\\YaEkQMMc.exe" 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YaEkQMMc.exe = "C:\\ProgramData\\wAMUwYYE\\YaEkQMMc.exe" YaEkQMMc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAsIAQAo.exe = "C:\\Users\\Admin\\uYUEQgAc\\PAsIAQAo.exe" PAsIAQAo.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe YaEkQMMc.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe YaEkQMMc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 3132 reg.exe 2432 reg.exe 1160 reg.exe 768 reg.exe 4912 reg.exe 4300 reg.exe 3964 reg.exe 2140 reg.exe 2476 reg.exe 1776 reg.exe 2676 reg.exe 2476 reg.exe 3332 reg.exe 4500 reg.exe 3028 reg.exe 4520 reg.exe 3584 reg.exe 4920 reg.exe 3552 reg.exe 1632 reg.exe 1604 reg.exe 908 reg.exe 3428 reg.exe 2860 reg.exe 1044 reg.exe 212 reg.exe 4668 reg.exe 2596 reg.exe 1856 reg.exe 476 reg.exe 3588 reg.exe 820 reg.exe 1768 reg.exe 4544 reg.exe 940 reg.exe 4668 reg.exe 4668 reg.exe 2308 reg.exe 1580 reg.exe 888 reg.exe 1516 reg.exe 888 reg.exe 1416 reg.exe 888 reg.exe 2024 reg.exe 3748 reg.exe 1512 reg.exe 3712 reg.exe 1568 reg.exe 476 reg.exe 1036 reg.exe 1284 reg.exe 3380 reg.exe 3984 reg.exe 1284 reg.exe 3436 reg.exe 2764 reg.exe 4924 reg.exe 384 reg.exe 2764 reg.exe 2676 reg.exe 1428 reg.exe 4476 reg.exe 4668 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1324 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1324 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1324 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1324 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4956 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4956 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4956 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4956 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2464 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2464 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2464 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 2464 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4904 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4904 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4904 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4904 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1256 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1256 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1256 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1256 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4860 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1656 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1656 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1656 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1656 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4352 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4352 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4352 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4352 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 764 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 764 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 764 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 764 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4596 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4596 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4596 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4596 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4924 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4924 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4924 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4924 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4920 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4920 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4920 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 4920 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1812 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1812 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1812 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 1812 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4248 YaEkQMMc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe 4248 YaEkQMMc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4784 wrote to memory of 4480 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 84 PID 4784 wrote to memory of 4480 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 84 PID 4784 wrote to memory of 4480 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 84 PID 4784 wrote to memory of 4248 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 85 PID 4784 wrote to memory of 4248 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 85 PID 4784 wrote to memory of 4248 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 85 PID 4784 wrote to memory of 764 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 86 PID 4784 wrote to memory of 764 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 86 PID 4784 wrote to memory of 764 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 86 PID 4784 wrote to memory of 2076 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 88 PID 4784 wrote to memory of 2076 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 88 PID 4784 wrote to memory of 2076 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 88 PID 4784 wrote to memory of 4764 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 89 PID 4784 wrote to memory of 4764 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 89 PID 4784 wrote to memory of 4764 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 89 PID 4784 wrote to memory of 4920 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 90 PID 4784 wrote to memory of 4920 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 90 PID 4784 wrote to memory of 4920 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 90 PID 4784 wrote to memory of 216 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 91 PID 4784 wrote to memory of 216 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 91 PID 4784 wrote to memory of 216 4784 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 91 PID 764 wrote to memory of 2688 764 cmd.exe 96 PID 764 wrote to memory of 2688 764 cmd.exe 96 PID 764 wrote to memory of 2688 764 cmd.exe 96 PID 216 wrote to memory of 1552 216 cmd.exe 97 PID 216 wrote to memory of 1552 216 cmd.exe 97 PID 216 wrote to memory of 1552 216 cmd.exe 97 PID 2688 wrote to memory of 2376 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 98 PID 2688 wrote to memory of 2376 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 98 PID 2688 wrote to memory of 2376 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 98 PID 2376 wrote to memory of 2368 2376 cmd.exe 100 PID 2376 wrote to memory of 2368 2376 cmd.exe 100 PID 2376 wrote to memory of 2368 2376 cmd.exe 100 PID 2688 wrote to memory of 1156 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 101 PID 2688 wrote to memory of 1156 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 101 PID 2688 wrote to memory of 1156 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 101 PID 2688 wrote to memory of 648 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 102 PID 2688 wrote to memory of 648 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 102 PID 2688 wrote to memory of 648 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 102 PID 2688 wrote to memory of 2476 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 103 PID 2688 wrote to memory of 2476 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 103 PID 2688 wrote to memory of 2476 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 103 PID 2688 wrote to memory of 3212 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 104 PID 2688 wrote to memory of 3212 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 104 PID 2688 wrote to memory of 3212 2688 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 104 PID 3212 wrote to memory of 824 3212 cmd.exe 109 PID 3212 wrote to memory of 824 3212 cmd.exe 109 PID 3212 wrote to memory of 824 3212 cmd.exe 109 PID 2368 wrote to memory of 3944 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 110 PID 2368 wrote to memory of 3944 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 110 PID 2368 wrote to memory of 3944 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 110 PID 3944 wrote to memory of 1324 3944 cmd.exe 112 PID 3944 wrote to memory of 1324 3944 cmd.exe 112 PID 3944 wrote to memory of 1324 3944 cmd.exe 112 PID 2368 wrote to memory of 1076 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 114 PID 2368 wrote to memory of 1076 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 114 PID 2368 wrote to memory of 1076 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 114 PID 2368 wrote to memory of 1848 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 115 PID 2368 wrote to memory of 1848 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 115 PID 2368 wrote to memory of 1848 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 115 PID 2368 wrote to memory of 1036 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 116 PID 2368 wrote to memory of 1036 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 116 PID 2368 wrote to memory of 1036 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 116 PID 2368 wrote to memory of 4860 2368 2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe"C:\Users\Admin\uYUEQgAc\PAsIAQAo.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4480
-
-
C:\ProgramData\wAMUwYYE\YaEkQMMc.exe"C:\ProgramData\wAMUwYYE\YaEkQMMc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"8⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"10⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"12⤵PID:3340
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"14⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"16⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"18⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"20⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"22⤵PID:1552
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵PID:3432
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"24⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"26⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"28⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"30⤵PID:1620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV131⤵PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"32⤵
- System Location Discovery: System Language Discovery
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock33⤵PID:3604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"34⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock35⤵PID:3428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"36⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock37⤵PID:1248
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"38⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock39⤵PID:888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"40⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock41⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"42⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock43⤵PID:2596
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"44⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock45⤵PID:4920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"46⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock47⤵PID:2004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"48⤵
- System Location Discovery: System Language Discovery
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock49⤵PID:3500
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"50⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock51⤵PID:1816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"52⤵PID:4368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock53⤵PID:3552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"54⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock55⤵PID:4812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"56⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock57⤵PID:1512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"58⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock59⤵
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"60⤵PID:180
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock61⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"62⤵
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock63⤵PID:380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"64⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV165⤵PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock65⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"66⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock67⤵PID:4996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"68⤵
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock69⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"70⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock71⤵PID:3896
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"72⤵PID:3120
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock73⤵PID:2216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"74⤵
- System Location Discovery: System Language Discovery
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock75⤵PID:1684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"76⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock77⤵PID:4012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"78⤵PID:3464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock79⤵PID:3944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"80⤵PID:4104
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock81⤵PID:4216
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"82⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock83⤵PID:2868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"84⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock85⤵PID:2024
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"86⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock87⤵PID:1948
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"88⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock89⤵PID:3532
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"90⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock91⤵PID:3368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"92⤵PID:4256
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock93⤵PID:812
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"94⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock95⤵PID:2148
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"96⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock97⤵PID:3372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"98⤵PID:4448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV199⤵PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock99⤵PID:824
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"100⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock101⤵PID:4208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"102⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock103⤵PID:5032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"104⤵PID:3892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock105⤵PID:648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"106⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock107⤵PID:3784
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"108⤵PID:2124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1109⤵PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock109⤵PID:5040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"110⤵PID:4560
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock111⤵PID:2944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"112⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock113⤵PID:3996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"114⤵PID:1596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock115⤵PID:2828
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"116⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock117⤵PID:4560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"118⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock119⤵PID:2124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"120⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock121⤵PID:4360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_055739f5184aeb744d73e3c90ec60b08_virlock"122⤵PID:3196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-