Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe
-
Size
755KB
-
MD5
150acf0d0a3911b605e06612e98b0ba7
-
SHA1
bfb64667232885973f5372b0ce48f228e9035d0e
-
SHA256
a5d67b8afb9232fb83bc663391f1156bcb674e7af3654e9f394e64517256ee1a
-
SHA512
8f13331e9f8ea24847850c5e157dc46c264fee677d6d56db55143f6a661f10d287336e4b6ad215018ee27bba8e7ef8564d1509bd73ef34eaadda7b9eb88cc14c
-
SSDEEP
12288:r4/f0wJ+CrUMY1PSlraXhjuLwLQTTCS7ZKAvOSUmbKJVR5EioLLIx1DIirxooV8r:rmswJ+CrUMY1PSlr+pLUySkwYVRiJLLf
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation fuokMwQA.exe -
Deletes itself 1 IoCs
pid Process 2532 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1748 fuokMwQA.exe 2796 oisAcQIo.exe -
Loads dropped DLL 20 IoCs
pid Process 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe 2796 oisAcQIo.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oisAcQIo.exe = "C:\\ProgramData\\deQcUYkA\\oisAcQIo.exe" 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuokMwQA.exe = "C:\\Users\\Admin\\uQwwYssY\\fuokMwQA.exe" fuokMwQA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oisAcQIo.exe = "C:\\ProgramData\\deQcUYkA\\oisAcQIo.exe" oisAcQIo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\fuokMwQA.exe = "C:\\Users\\Admin\\uQwwYssY\\fuokMwQA.exe" 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico oisAcQIo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2752 reg.exe 2112 reg.exe 2088 reg.exe 2004 reg.exe 1804 reg.exe 2696 reg.exe 2320 reg.exe 2420 reg.exe 2220 reg.exe 108 reg.exe 2116 reg.exe 1848 reg.exe 2784 reg.exe 2916 reg.exe 2884 reg.exe 684 reg.exe 908 reg.exe 2620 reg.exe 2232 reg.exe 1468 reg.exe 1372 reg.exe 844 reg.exe 552 reg.exe 860 reg.exe 1828 reg.exe 2868 reg.exe 1608 reg.exe 2132 reg.exe 2020 reg.exe 1720 reg.exe 2696 reg.exe 2440 reg.exe 2696 reg.exe 548 reg.exe 1372 reg.exe 2716 reg.exe 2904 reg.exe 1512 reg.exe 2104 reg.exe 1072 reg.exe 2108 reg.exe 1692 reg.exe 548 reg.exe 2868 reg.exe 1564 reg.exe 2812 reg.exe 332 reg.exe 3048 reg.exe 2984 reg.exe 2872 reg.exe 1664 reg.exe 2876 reg.exe 2952 reg.exe 2876 reg.exe 1184 reg.exe 2148 reg.exe 2352 reg.exe 2924 reg.exe 2348 reg.exe 2988 reg.exe 236 reg.exe 2324 reg.exe 1148 reg.exe 2856 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2660 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2660 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 812 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 812 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1636 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1636 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 3028 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 3028 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2012 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2012 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2600 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2600 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 648 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 648 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 588 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 588 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2044 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2044 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1504 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1504 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2324 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2324 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2684 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2684 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2628 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2628 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1712 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1712 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2136 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2136 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2560 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2560 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1276 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1276 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1796 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1796 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2332 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2332 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 3020 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 3020 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1472 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1472 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1764 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1764 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2044 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2044 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2816 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2816 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1980 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 1980 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2132 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2132 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2008 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2008 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2692 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2692 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2568 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 2568 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1748 fuokMwQA.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe 1748 fuokMwQA.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1748 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 30 PID 1064 wrote to memory of 1748 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 30 PID 1064 wrote to memory of 1748 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 30 PID 1064 wrote to memory of 1748 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 30 PID 1064 wrote to memory of 2796 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 31 PID 1064 wrote to memory of 2796 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 31 PID 1064 wrote to memory of 2796 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 31 PID 1064 wrote to memory of 2796 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 31 PID 1064 wrote to memory of 2752 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 32 PID 1064 wrote to memory of 2752 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 32 PID 1064 wrote to memory of 2752 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 32 PID 1064 wrote to memory of 2752 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 32 PID 2752 wrote to memory of 2848 2752 cmd.exe 34 PID 2752 wrote to memory of 2848 2752 cmd.exe 34 PID 2752 wrote to memory of 2848 2752 cmd.exe 34 PID 2752 wrote to memory of 2848 2752 cmd.exe 34 PID 1064 wrote to memory of 2896 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 35 PID 1064 wrote to memory of 2896 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 35 PID 1064 wrote to memory of 2896 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 35 PID 1064 wrote to memory of 2896 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 35 PID 1064 wrote to memory of 2928 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 36 PID 1064 wrote to memory of 2928 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 36 PID 1064 wrote to memory of 2928 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 36 PID 1064 wrote to memory of 2928 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 36 PID 1064 wrote to memory of 2620 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 37 PID 1064 wrote to memory of 2620 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 37 PID 1064 wrote to memory of 2620 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 37 PID 1064 wrote to memory of 2620 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 37 PID 1064 wrote to memory of 2704 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 38 PID 1064 wrote to memory of 2704 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 38 PID 1064 wrote to memory of 2704 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 38 PID 1064 wrote to memory of 2704 1064 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 38 PID 2848 wrote to memory of 1672 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 354 PID 2848 wrote to memory of 1672 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 354 PID 2848 wrote to memory of 1672 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 354 PID 2848 wrote to memory of 1672 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 354 PID 2704 wrote to memory of 580 2704 cmd.exe 44 PID 2704 wrote to memory of 580 2704 cmd.exe 44 PID 2704 wrote to memory of 580 2704 cmd.exe 44 PID 2704 wrote to memory of 580 2704 cmd.exe 44 PID 2848 wrote to memory of 2988 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 188 PID 2848 wrote to memory of 2988 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 188 PID 2848 wrote to memory of 2988 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 188 PID 2848 wrote to memory of 2988 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 188 PID 2848 wrote to memory of 2496 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 123 PID 2848 wrote to memory of 2496 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 123 PID 2848 wrote to memory of 2496 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 123 PID 2848 wrote to memory of 2496 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 123 PID 1672 wrote to memory of 2660 1672 cmd.exe 478 PID 1672 wrote to memory of 2660 1672 cmd.exe 478 PID 1672 wrote to memory of 2660 1672 cmd.exe 478 PID 1672 wrote to memory of 2660 1672 cmd.exe 478 PID 2848 wrote to memory of 772 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 564 PID 2848 wrote to memory of 772 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 564 PID 2848 wrote to memory of 772 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 564 PID 2848 wrote to memory of 772 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 564 PID 2848 wrote to memory of 1156 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 53 PID 2848 wrote to memory of 1156 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 53 PID 2848 wrote to memory of 1156 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 53 PID 2848 wrote to memory of 1156 2848 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 53 PID 2660 wrote to memory of 2136 2660 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 219 PID 2660 wrote to memory of 2136 2660 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 219 PID 2660 wrote to memory of 2136 2660 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 219 PID 2660 wrote to memory of 2136 2660 2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe 219
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\uQwwYssY\fuokMwQA.exe"C:\Users\Admin\uQwwYssY\fuokMwQA.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1748
-
-
C:\ProgramData\deQcUYkA\oisAcQIo.exe"C:\ProgramData\deQcUYkA\oisAcQIo.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
PID:2796
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"6⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:812 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"8⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"10⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"12⤵PID:108
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"14⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2600 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"16⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:648 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"18⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:588 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"20⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"22⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"24⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"26⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"28⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"30⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock31⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"32⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"34⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"36⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1276 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"38⤵PID:236
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"40⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock41⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1796 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"42⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"44⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"46⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"48⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"50⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"52⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"54⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"56⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"58⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"60⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock61⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"62⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"64⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock65⤵PID:800
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"66⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock67⤵
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"68⤵PID:2844
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock69⤵PID:2504
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"70⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock71⤵PID:2312
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"72⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock73⤵PID:776
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"74⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock75⤵PID:1588
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"76⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock77⤵PID:2568
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"78⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock79⤵PID:1964
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"80⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock81⤵PID:1584
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"82⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock83⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"84⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock85⤵PID:620
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"86⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock87⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"88⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock89⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"90⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock91⤵PID:2084
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"92⤵PID:1472
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock93⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"94⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock95⤵PID:2860
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"96⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock97⤵PID:2224
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"98⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock99⤵PID:2940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"100⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock101⤵PID:1616
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"102⤵PID:388
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock103⤵PID:828
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"104⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock105⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"106⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock107⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"108⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock109⤵
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"110⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock111⤵PID:2212
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"112⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock113⤵PID:1020
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"114⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock115⤵PID:2940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"116⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock117⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"118⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock119⤵PID:2320
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"120⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock121⤵PID:2788
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_150acf0d0a3911b605e06612e98b0ba7_virlock"122⤵PID:2980
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-