Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-04_0048ee167026646b746be0135974898b_virlock.exe
-
Size
158KB
-
MD5
0048ee167026646b746be0135974898b
-
SHA1
d3a15eb0a8bf39f9fc083e346f7005dd80a4ac97
-
SHA256
3c17e906d9149bcf28712a3037e7dd455f7ac0fc159c2f61a2130303c80bb6f2
-
SHA512
ec52792cfb3f4580759430e62f907bfcf51d8aab77ac3850a26c727b195eaafe54ef530234243d6d93d8fa206532ccc83e137f772df5c14d152d334f371d9a2e
-
SSDEEP
3072:2YCAK/eqEdWeVPKf3WFBeebIyhLWqwgCcIQUtXEDKpr9HRH:dyUI13WFBee5LWqwqIQFDK
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RGYAkccM.exe -
Executes dropped EXE 2 IoCs
pid Process 2800 TWUogggA.exe 4084 RGYAkccM.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWUogggA.exe = "C:\\Users\\Admin\\msoccsYw\\TWUogggA.exe" TWUogggA.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWUogggA.exe = "C:\\Users\\Admin\\msoccsYw\\TWUogggA.exe" 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGYAkccM.exe = "C:\\ProgramData\\ykggUkQU\\RGYAkccM.exe" 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RGYAkccM.exe = "C:\\ProgramData\\ykggUkQU\\RGYAkccM.exe" RGYAkccM.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe RGYAkccM.exe File opened for modification C:\Windows\SysWOW64\shell32.dll.exe RGYAkccM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2536 reg.exe 1172 reg.exe 1456 reg.exe 5004 reg.exe 1132 reg.exe 4704 reg.exe 2680 reg.exe 4932 reg.exe 4212 reg.exe 3304 reg.exe 4888 reg.exe 3524 reg.exe 2076 reg.exe 4056 reg.exe 2344 reg.exe 744 reg.exe 4692 reg.exe 2436 reg.exe 1156 reg.exe 4888 reg.exe 3852 reg.exe 2376 reg.exe 2420 reg.exe 4036 reg.exe 4692 reg.exe 180 reg.exe 412 reg.exe 456 reg.exe 2964 reg.exe 2664 reg.exe 2152 reg.exe 884 reg.exe 4928 reg.exe 2052 reg.exe 4304 reg.exe 1980 reg.exe 4128 reg.exe 4800 reg.exe 3596 reg.exe 1064 reg.exe 900 reg.exe 2100 reg.exe 3104 reg.exe 4388 reg.exe 2152 reg.exe 3104 reg.exe 5100 reg.exe 5068 reg.exe 1532 reg.exe 3140 reg.exe 3304 reg.exe 3684 reg.exe 1908 reg.exe 2352 reg.exe 4800 reg.exe 456 reg.exe 3768 reg.exe 2052 reg.exe 1280 reg.exe 1800 reg.exe 3572 reg.exe 4888 reg.exe 1756 reg.exe 2600 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1456 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1456 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1456 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1456 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3376 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3376 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3376 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3376 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1796 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1796 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1796 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 1796 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4916 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4916 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4916 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4916 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 352 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 352 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 352 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 352 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4920 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4920 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4920 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4920 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3524 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3524 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3524 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3524 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3604 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3604 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3604 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3604 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3312 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3312 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3312 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 3312 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2964 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2964 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2964 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2964 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2116 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2116 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2116 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 2116 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4368 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4368 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4368 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 4368 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 756 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 756 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 756 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 756 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4084 RGYAkccM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe 4084 RGYAkccM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2800 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 84 PID 1152 wrote to memory of 2800 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 84 PID 1152 wrote to memory of 2800 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 84 PID 1152 wrote to memory of 4084 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 85 PID 1152 wrote to memory of 4084 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 85 PID 1152 wrote to memory of 4084 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 85 PID 1152 wrote to memory of 1276 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 86 PID 1152 wrote to memory of 1276 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 86 PID 1152 wrote to memory of 1276 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 86 PID 1152 wrote to memory of 3768 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 88 PID 1152 wrote to memory of 3768 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 88 PID 1152 wrote to memory of 3768 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 88 PID 1152 wrote to memory of 1216 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 89 PID 1152 wrote to memory of 1216 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 89 PID 1152 wrote to memory of 1216 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 89 PID 1152 wrote to memory of 1776 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 90 PID 1152 wrote to memory of 1776 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 90 PID 1152 wrote to memory of 1776 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 90 PID 1152 wrote to memory of 4356 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 92 PID 1152 wrote to memory of 4356 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 92 PID 1152 wrote to memory of 4356 1152 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 92 PID 1276 wrote to memory of 2700 1276 cmd.exe 96 PID 1276 wrote to memory of 2700 1276 cmd.exe 96 PID 1276 wrote to memory of 2700 1276 cmd.exe 96 PID 2700 wrote to memory of 2284 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 97 PID 2700 wrote to memory of 2284 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 97 PID 2700 wrote to memory of 2284 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 97 PID 4356 wrote to memory of 4772 4356 cmd.exe 99 PID 4356 wrote to memory of 4772 4356 cmd.exe 99 PID 4356 wrote to memory of 4772 4356 cmd.exe 99 PID 2284 wrote to memory of 236 2284 cmd.exe 100 PID 2284 wrote to memory of 236 2284 cmd.exe 100 PID 2284 wrote to memory of 236 2284 cmd.exe 100 PID 2700 wrote to memory of 216 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 101 PID 2700 wrote to memory of 216 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 101 PID 2700 wrote to memory of 216 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 101 PID 2700 wrote to memory of 1896 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 102 PID 2700 wrote to memory of 1896 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 102 PID 2700 wrote to memory of 1896 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 102 PID 2700 wrote to memory of 4024 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 103 PID 2700 wrote to memory of 4024 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 103 PID 2700 wrote to memory of 4024 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 103 PID 2700 wrote to memory of 744 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 104 PID 2700 wrote to memory of 744 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 104 PID 2700 wrote to memory of 744 2700 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 104 PID 744 wrote to memory of 532 744 cmd.exe 109 PID 744 wrote to memory of 532 744 cmd.exe 109 PID 744 wrote to memory of 532 744 cmd.exe 109 PID 236 wrote to memory of 3956 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 184 PID 236 wrote to memory of 3956 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 184 PID 236 wrote to memory of 3956 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 184 PID 236 wrote to memory of 1020 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 112 PID 236 wrote to memory of 1020 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 112 PID 236 wrote to memory of 1020 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 112 PID 236 wrote to memory of 2664 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 177 PID 236 wrote to memory of 2664 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 177 PID 236 wrote to memory of 2664 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 177 PID 236 wrote to memory of 3304 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 175 PID 236 wrote to memory of 3304 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 175 PID 236 wrote to memory of 3304 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 175 PID 236 wrote to memory of 3088 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 116 PID 236 wrote to memory of 3088 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 116 PID 236 wrote to memory of 3088 236 2024-11-04_0048ee167026646b746be0135974898b_virlock.exe 116 PID 3956 wrote to memory of 1456 3956 cmd.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\msoccsYw\TWUogggA.exe"C:\Users\Admin\msoccsYw\TWUogggA.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2800
-
-
C:\ProgramData\ykggUkQU\RGYAkccM.exe"C:\ProgramData\ykggUkQU\RGYAkccM.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"8⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3376 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"10⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock11⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"12⤵PID:4128
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"14⤵PID:3280
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"16⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"20⤵PID:1304
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"22⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3312 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"24⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"26⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"28⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"30⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"32⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock33⤵PID:2960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"34⤵
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock35⤵PID:3872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"36⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock37⤵PID:2632
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"38⤵PID:3604
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock39⤵PID:1796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"40⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock41⤵PID:3516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"42⤵
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock43⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"44⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock45⤵PID:3092
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"46⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock47⤵PID:1640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"48⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock49⤵PID:4952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"50⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock51⤵PID:3816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"52⤵PID:1556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV153⤵PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock53⤵PID:1800
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"54⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock55⤵PID:4692
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"56⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock57⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"58⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock59⤵PID:4448
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"60⤵PID:4924
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock61⤵PID:2796
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"62⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock63⤵PID:4332
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"64⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock65⤵PID:3620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"66⤵PID:4556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV167⤵PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock67⤵PID:1456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"68⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock69⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"70⤵PID:476
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock71⤵PID:3256
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"72⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock73⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"74⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock75⤵PID:4912
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"76⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock77⤵PID:1512
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"78⤵PID:5072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV179⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock79⤵PID:1728
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"80⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock81⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"82⤵PID:3872
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock83⤵PID:2304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"84⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock85⤵PID:4956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"86⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock87⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"88⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock89⤵PID:2084
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"90⤵
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock91⤵PID:2304
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"92⤵PID:3088
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock93⤵PID:3572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"94⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock95⤵PID:4544
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"96⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock97⤵PID:1636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"98⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock99⤵PID:236
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"100⤵PID:1292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1101⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock101⤵
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"102⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock103⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"104⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock105⤵PID:2076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"106⤵PID:3580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1107⤵PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock107⤵PID:3996
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"108⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock109⤵PID:2136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"110⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock111⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"112⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock113⤵PID:4564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"114⤵
- System Location Discovery: System Language Discovery
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock115⤵PID:3928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"116⤵PID:3652
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock117⤵PID:4540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"118⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock119⤵PID:2656
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"120⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock121⤵PID:876
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-04_0048ee167026646b746be0135974898b_virlock"122⤵
- System Location Discovery: System Language Discovery
PID:4204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-