Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe
-
Size
118KB
-
MD5
73ba8f50d4e3422da9577654ee551bbf
-
SHA1
f28fac8e997523dab963cabea7e89cb033f4b517
-
SHA256
ec5c1ee022b8095b3d2055e299f845ef0e3530ad8336fca6f9620314960904cd
-
SHA512
388b8bfc4d3476bbccc8c439cb4332ff5b8d2675b090628abf55643a318a4310c53556b92f0c294ee79856b9233d4a916cb16d8191b46ad1fe73e94364429c23
-
SSDEEP
3072:9K3HfIfJEkZsZXueo61soKLH0MUsMjgMZwe7IGLcRP4PMysRTef:lSX+6soKLH0MUsMjgMZweMDPjystef
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation DqUwYEEs.exe -
Executes dropped EXE 2 IoCs
pid Process 2584 nAkIQcww.exe 4692 DqUwYEEs.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nAkIQcww.exe = "C:\\Users\\Admin\\bOwkwQMM\\nAkIQcww.exe" 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DqUwYEEs.exe = "C:\\ProgramData\\HsUMsAcI\\DqUwYEEs.exe" 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DqUwYEEs.exe = "C:\\ProgramData\\HsUMsAcI\\DqUwYEEs.exe" DqUwYEEs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nAkIQcww.exe = "C:\\Users\\Admin\\bOwkwQMM\\nAkIQcww.exe" nAkIQcww.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe DqUwYEEs.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe DqUwYEEs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2268 reg.exe 800 reg.exe 416 reg.exe 4904 reg.exe 3000 reg.exe 4520 reg.exe 4660 reg.exe 4420 reg.exe 4404 reg.exe 1940 reg.exe 2388 reg.exe 2140 reg.exe 4660 reg.exe 4680 reg.exe 3164 reg.exe 4056 reg.exe 4596 reg.exe 5092 reg.exe 4512 reg.exe 3788 reg.exe 4300 reg.exe 4504 reg.exe 4420 reg.exe 3572 reg.exe 4352 reg.exe 2324 reg.exe 2028 reg.exe 4512 reg.exe 1592 reg.exe 4896 reg.exe 4420 reg.exe 2320 reg.exe 3912 reg.exe 4820 reg.exe 4048 reg.exe 4388 reg.exe 4188 reg.exe 4604 reg.exe 2336 reg.exe 2484 reg.exe 4016 reg.exe 4828 reg.exe 2920 reg.exe 2824 reg.exe 3712 reg.exe 704 reg.exe 1844 reg.exe 996 reg.exe 3672 reg.exe 3972 reg.exe 4108 reg.exe 1832 reg.exe 1840 reg.exe 4864 reg.exe 2576 reg.exe 2408 reg.exe 3792 reg.exe 1572 reg.exe 3220 reg.exe 940 reg.exe 404 reg.exe 4676 reg.exe 4028 reg.exe 2828 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3696 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3696 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3696 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3696 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2004 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2004 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2004 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2004 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1916 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1916 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1916 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1916 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1472 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1472 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1472 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1472 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1656 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1656 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1656 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1656 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4012 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4012 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4012 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4012 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4220 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4220 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4220 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4220 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1476 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1476 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1476 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1476 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4140 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4140 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4140 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 4140 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3740 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3740 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3740 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 3740 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 940 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 940 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 940 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 940 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1636 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1636 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1636 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 1636 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2376 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2376 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2376 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 2376 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4692 DqUwYEEs.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe 4692 DqUwYEEs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 2584 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 86 PID 4600 wrote to memory of 2584 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 86 PID 4600 wrote to memory of 2584 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 86 PID 4600 wrote to memory of 4692 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 87 PID 4600 wrote to memory of 4692 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 87 PID 4600 wrote to memory of 4692 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 87 PID 4600 wrote to memory of 4520 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 88 PID 4600 wrote to memory of 4520 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 88 PID 4600 wrote to memory of 4520 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 88 PID 4520 wrote to memory of 2408 4520 cmd.exe 90 PID 4520 wrote to memory of 2408 4520 cmd.exe 90 PID 4520 wrote to memory of 2408 4520 cmd.exe 90 PID 4600 wrote to memory of 2280 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 91 PID 4600 wrote to memory of 2280 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 91 PID 4600 wrote to memory of 2280 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 91 PID 4600 wrote to memory of 1472 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 92 PID 4600 wrote to memory of 1472 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 92 PID 4600 wrote to memory of 1472 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 92 PID 4600 wrote to memory of 1060 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 93 PID 4600 wrote to memory of 1060 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 93 PID 4600 wrote to memory of 1060 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 93 PID 4600 wrote to memory of 2404 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 94 PID 4600 wrote to memory of 2404 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 94 PID 4600 wrote to memory of 2404 4600 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 94 PID 2404 wrote to memory of 5020 2404 cmd.exe 99 PID 2404 wrote to memory of 5020 2404 cmd.exe 99 PID 2404 wrote to memory of 5020 2404 cmd.exe 99 PID 2408 wrote to memory of 4180 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 100 PID 2408 wrote to memory of 4180 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 100 PID 2408 wrote to memory of 4180 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 100 PID 4180 wrote to memory of 336 4180 cmd.exe 102 PID 4180 wrote to memory of 336 4180 cmd.exe 102 PID 4180 wrote to memory of 336 4180 cmd.exe 102 PID 2408 wrote to memory of 2144 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 103 PID 2408 wrote to memory of 2144 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 103 PID 2408 wrote to memory of 2144 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 103 PID 2408 wrote to memory of 4676 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 104 PID 2408 wrote to memory of 4676 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 104 PID 2408 wrote to memory of 4676 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 104 PID 2408 wrote to memory of 3220 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 105 PID 2408 wrote to memory of 3220 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 105 PID 2408 wrote to memory of 3220 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 105 PID 2408 wrote to memory of 4040 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 106 PID 2408 wrote to memory of 4040 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 106 PID 2408 wrote to memory of 4040 2408 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 106 PID 4040 wrote to memory of 2080 4040 cmd.exe 111 PID 4040 wrote to memory of 2080 4040 cmd.exe 111 PID 4040 wrote to memory of 2080 4040 cmd.exe 111 PID 336 wrote to memory of 4280 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 113 PID 336 wrote to memory of 4280 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 113 PID 336 wrote to memory of 4280 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 113 PID 4280 wrote to memory of 3696 4280 cmd.exe 115 PID 4280 wrote to memory of 3696 4280 cmd.exe 115 PID 4280 wrote to memory of 3696 4280 cmd.exe 115 PID 336 wrote to memory of 4108 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 116 PID 336 wrote to memory of 4108 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 116 PID 336 wrote to memory of 4108 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 116 PID 336 wrote to memory of 5116 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 117 PID 336 wrote to memory of 5116 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 117 PID 336 wrote to memory of 5116 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 117 PID 336 wrote to memory of 4996 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 118 PID 336 wrote to memory of 4996 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 118 PID 336 wrote to memory of 4996 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 118 PID 336 wrote to memory of 1748 336 2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\bOwkwQMM\nAkIQcww.exe"C:\Users\Admin\bOwkwQMM\nAkIQcww.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2584
-
-
C:\ProgramData\HsUMsAcI\DqUwYEEs.exe"C:\ProgramData\HsUMsAcI\DqUwYEEs.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"8⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"10⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"12⤵PID:3812
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"14⤵PID:2900
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"16⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"18⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"20⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"22⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"24⤵PID:2128
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵PID:4716
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"26⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"28⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock29⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"30⤵
- System Location Discovery: System Language Discovery
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"32⤵PID:2000
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock33⤵PID:4992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"34⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock35⤵PID:5072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"36⤵PID:3824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV137⤵PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock37⤵PID:3920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"38⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock39⤵PID:2264
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"40⤵PID:3304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock41⤵PID:2876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"42⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock43⤵PID:3084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"44⤵PID:4776
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock45⤵PID:2140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"46⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock47⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"48⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock49⤵PID:4992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"50⤵PID:3356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV151⤵PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock51⤵PID:4704
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"52⤵PID:412
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock53⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"54⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock55⤵PID:1696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"56⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock57⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"58⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock59⤵PID:4388
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"60⤵
- System Location Discovery: System Language Discovery
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock61⤵PID:324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"62⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock63⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"64⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock65⤵PID:3740
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock67⤵PID:4312
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"68⤵PID:4520
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV169⤵PID:3408
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock69⤵PID:3012
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"70⤵PID:4048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV171⤵PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock71⤵PID:868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"72⤵PID:2412
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV173⤵PID:4936
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock73⤵PID:4444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"74⤵PID:4984
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:3912
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock75⤵PID:900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"76⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock77⤵PID:2376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"78⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock79⤵PID:4404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"80⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock81⤵PID:1384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"82⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock83⤵PID:2072
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"84⤵
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock85⤵
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"86⤵
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock87⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"88⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock89⤵
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"90⤵PID:4828
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock91⤵PID:3624
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"92⤵PID:528
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock93⤵PID:32
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"94⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock95⤵PID:5064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"96⤵PID:4020
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock97⤵PID:1708
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"98⤵PID:4280
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock99⤵PID:3680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"100⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock101⤵PID:4484
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"102⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock103⤵PID:3668
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"104⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock105⤵PID:1092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"106⤵PID:4716
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock107⤵PID:4544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"108⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock109⤵PID:528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"110⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock111⤵PID:456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"112⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock113⤵PID:3408
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"114⤵PID:4772
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1115⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock115⤵PID:1268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"116⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock117⤵PID:3112
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"118⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock119⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"120⤵PID:908
-
C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock121⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-10-26_73ba8f50d4e3422da9577654ee551bbf_virlock"122⤵PID:3696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-