Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe
-
Size
373KB
-
MD5
1d9405d141447fab969a9e235496a0c1
-
SHA1
da31ee67c74e60f6bc0214fdfdd33514f64910e4
-
SHA256
1b5a8e869b055d982bd716b578823324045e387f6fc1dd08bfa3af41d521810f
-
SHA512
d5f75a492a20ec8eef14b290417af91f423aec3135d6622c3ff1cad2f1e0f84823df5342766981b8096bc52154eaf1ec08ff3c3254887f1126cfcaa301ad1f3c
-
SSDEEP
6144:NLn+1TNnHRnF6qnaGv1DLO0ju+4/isew5pkgUb0chOywMPODRXpcRQ3qn7NzBJr4:NLn+1NHRnF6S/x6pnkP0HMPfaaB7tuYI
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fAgUoQQY.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation fAgUoQQY.exe -
Executes dropped EXE 2 IoCs
Processes:
FmUYQswY.exefAgUoQQY.exepid Process 628 FmUYQswY.exe 4212 fAgUoQQY.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeFmUYQswY.exefAgUoQQY.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FmUYQswY.exe = "C:\\Users\\Admin\\DsgkwwMQ\\FmUYQswY.exe" 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fAgUoQQY.exe = "C:\\ProgramData\\KCMwcMsU\\fAgUoQQY.exe" 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FmUYQswY.exe = "C:\\Users\\Admin\\DsgkwwMQ\\FmUYQswY.exe" FmUYQswY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fAgUoQQY.exe = "C:\\ProgramData\\KCMwcMsU\\fAgUoQQY.exe" fAgUoQQY.exe -
Drops file in System32 directory 1 IoCs
Processes:
fAgUoQQY.exedescription ioc Process File created C:\Windows\SysWOW64\shell32.dll.exe fAgUoQQY.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execmd.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execscript.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exereg.exereg.exereg.execmd.exereg.execscript.execscript.execscript.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exereg.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exereg.execmd.execscript.execmd.execmd.execmd.exereg.execmd.execmd.exereg.exereg.exereg.execmd.exereg.execscript.execscript.execmd.execmd.execmd.exereg.execmd.execmd.exereg.execscript.execmd.execmd.exereg.exereg.exereg.exereg.execmd.execmd.execmd.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid Process 660 reg.exe 4668 reg.exe 928 reg.exe 3840 reg.exe 5000 reg.exe 1056 reg.exe 864 reg.exe 2928 reg.exe 4504 reg.exe 2500 reg.exe 3464 reg.exe 1536 reg.exe 4944 reg.exe 4900 reg.exe 4636 reg.exe 2548 reg.exe 412 reg.exe 3988 reg.exe 3012 reg.exe 8 reg.exe 4580 reg.exe 1952 reg.exe 2120 reg.exe 3068 reg.exe 1792 reg.exe 1472 reg.exe 4408 reg.exe 4824 reg.exe 228 reg.exe 5020 reg.exe 3944 reg.exe 3408 reg.exe 2388 reg.exe 1016 reg.exe 2672 reg.exe 4140 reg.exe 4900 reg.exe 4584 reg.exe 3476 reg.exe 4060 reg.exe 3848 reg.exe 660 reg.exe 1640 reg.exe 3364 reg.exe 1252 reg.exe 1912 reg.exe 436 reg.exe 1252 reg.exe 3512 reg.exe 3248 reg.exe 1612 reg.exe 4540 reg.exe 2248 reg.exe 4900 reg.exe 1304 reg.exe 3592 reg.exe 4504 reg.exe 1540 reg.exe 1572 reg.exe 3616 reg.exe 2336 reg.exe 4728 reg.exe 1284 reg.exe 4036 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exepid Process 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3396 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3396 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3396 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3396 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4516 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4516 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4516 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 4516 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1532 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1532 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1532 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1532 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 452 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 452 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 452 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 452 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1468 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1468 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1468 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1468 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3952 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3952 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3952 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3952 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2868 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2868 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2868 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2868 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3108 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3108 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3108 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 3108 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1260 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1260 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1260 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1260 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1752 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1752 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1752 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 1752 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 220 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 220 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 220 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 220 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2360 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2360 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2360 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 2360 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fAgUoQQY.exepid Process 4212 fAgUoQQY.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
fAgUoQQY.exepid Process 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe 4212 fAgUoQQY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.execmd.exe2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.execmd.exedescription pid Process procid_target PID 1652 wrote to memory of 628 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 85 PID 1652 wrote to memory of 628 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 85 PID 1652 wrote to memory of 628 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 85 PID 1652 wrote to memory of 4212 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 87 PID 1652 wrote to memory of 4212 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 87 PID 1652 wrote to memory of 4212 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 87 PID 1652 wrote to memory of 3668 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 88 PID 1652 wrote to memory of 3668 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 88 PID 1652 wrote to memory of 3668 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 88 PID 1652 wrote to memory of 660 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 90 PID 1652 wrote to memory of 660 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 90 PID 1652 wrote to memory of 660 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 90 PID 1652 wrote to memory of 2708 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 91 PID 1652 wrote to memory of 2708 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 91 PID 1652 wrote to memory of 2708 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 91 PID 1652 wrote to memory of 1108 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 92 PID 1652 wrote to memory of 1108 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 92 PID 1652 wrote to memory of 1108 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 92 PID 1652 wrote to memory of 3056 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 93 PID 1652 wrote to memory of 3056 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 93 PID 1652 wrote to memory of 3056 1652 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 93 PID 3668 wrote to memory of 1676 3668 cmd.exe 97 PID 3668 wrote to memory of 1676 3668 cmd.exe 97 PID 3668 wrote to memory of 1676 3668 cmd.exe 97 PID 3056 wrote to memory of 5032 3056 cmd.exe 99 PID 3056 wrote to memory of 5032 3056 cmd.exe 99 PID 3056 wrote to memory of 5032 3056 cmd.exe 99 PID 1676 wrote to memory of 1964 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 100 PID 1676 wrote to memory of 1964 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 100 PID 1676 wrote to memory of 1964 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 100 PID 1964 wrote to memory of 4804 1964 cmd.exe 102 PID 1964 wrote to memory of 4804 1964 cmd.exe 102 PID 1964 wrote to memory of 4804 1964 cmd.exe 102 PID 1676 wrote to memory of 2500 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 103 PID 1676 wrote to memory of 2500 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 103 PID 1676 wrote to memory of 2500 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 103 PID 1676 wrote to memory of 3464 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 104 PID 1676 wrote to memory of 3464 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 104 PID 1676 wrote to memory of 3464 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 104 PID 1676 wrote to memory of 4788 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 105 PID 1676 wrote to memory of 4788 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 105 PID 1676 wrote to memory of 4788 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 105 PID 1676 wrote to memory of 420 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 106 PID 1676 wrote to memory of 420 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 106 PID 1676 wrote to memory of 420 1676 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 106 PID 420 wrote to memory of 4728 420 cmd.exe 111 PID 420 wrote to memory of 4728 420 cmd.exe 111 PID 420 wrote to memory of 4728 420 cmd.exe 111 PID 4804 wrote to memory of 4476 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 112 PID 4804 wrote to memory of 4476 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 112 PID 4804 wrote to memory of 4476 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 112 PID 4804 wrote to memory of 4484 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 114 PID 4804 wrote to memory of 4484 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 114 PID 4804 wrote to memory of 4484 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 114 PID 4804 wrote to memory of 1644 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 115 PID 4804 wrote to memory of 1644 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 115 PID 4804 wrote to memory of 1644 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 115 PID 4804 wrote to memory of 3692 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 116 PID 4804 wrote to memory of 3692 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 116 PID 4804 wrote to memory of 3692 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 116 PID 4804 wrote to memory of 740 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 117 PID 4804 wrote to memory of 740 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 117 PID 4804 wrote to memory of 740 4804 2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe 117 PID 4476 wrote to memory of 3396 4476 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe"C:\Users\Admin\DsgkwwMQ\FmUYQswY.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:628
-
-
C:\ProgramData\KCMwcMsU\fAgUoQQY.exe"C:\ProgramData\KCMwcMsU\fAgUoQQY.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"6⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"8⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"10⤵PID:3248
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"12⤵PID:4364
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"14⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"16⤵
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"18⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"20⤵PID:392
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"22⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock23⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"24⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"26⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"28⤵PID:4488
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"30⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"32⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock33⤵PID:2548
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"34⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock35⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"36⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock37⤵PID:2872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"38⤵PID:1944
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock39⤵PID:4640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"40⤵PID:4956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV141⤵PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock41⤵PID:2136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"42⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock43⤵PID:4664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"44⤵PID:3160
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock45⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"46⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock47⤵PID:4644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"48⤵PID:4184
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock49⤵PID:1456
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"50⤵PID:1056
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock51⤵PID:2232
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"52⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock53⤵PID:2524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"54⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock55⤵PID:1016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"56⤵PID:2612
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock57⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"58⤵
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock59⤵PID:5076
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"60⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock61⤵PID:5004
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"62⤵
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock63⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"64⤵
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock65⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"66⤵
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock67⤵PID:2640
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"68⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock69⤵PID:2492
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"70⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock71⤵PID:4404
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"72⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock73⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"74⤵PID:1468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV175⤵PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock75⤵PID:3136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"76⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock77⤵PID:4220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"78⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock79⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"80⤵PID:3144
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock81⤵PID:3356
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"82⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock83⤵PID:2684
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"84⤵PID:4864
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock85⤵PID:1108
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"86⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock87⤵PID:720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"88⤵
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock89⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"90⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock91⤵PID:4088
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"92⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock93⤵PID:1476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"94⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock95⤵PID:4344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"96⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock97⤵PID:412
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"98⤵
- System Location Discovery: System Language Discovery
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock99⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"100⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock101⤵PID:4340
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"102⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock103⤵PID:1952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"104⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock105⤵PID:4496
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"106⤵PID:472
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock107⤵PID:3144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"108⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock109⤵PID:3620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"110⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock111⤵PID:2040
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"112⤵PID:4320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1113⤵PID:720
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock113⤵PID:2268
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"114⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock115⤵PID:3620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"116⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock117⤵
- System Location Discovery: System Language Discovery
PID:3652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"118⤵PID:3572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1119⤵PID:3848
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock119⤵
- System Location Discovery: System Language Discovery
PID:4228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"120⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock121⤵PID:516
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-11-14_1d9405d141447fab969a9e235496a0c1_virlock"122⤵PID:660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-