Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
25-01-2024 17:38
General
-
Target
2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe
-
Size
325KB
-
MD5
d6d60e591fc168d89850fd7f7b0faf81
-
SHA1
9caff4b2b4e7ee106e853cd791f16d0f1512a459
-
SHA256
8958c5ef0084947311bce1141434b5f3159faf3a60631845d86428f0c7aa1673
-
SHA512
b7108377933bf557f76eb1a7918d715b03202e1e73ec63945579de1ce31d2fcb5de72cd14f28a4c1b914d69587bb911bdefaba7c445bb2fcb3dc24a81c67303e
-
SSDEEP
6144:UIQqX0WRFU4uZyY2XKGUun8uTeXZLEHXcpDu6cL4XcjZ9IKZd:UsX0WRuZyfZn8tXZLiUDm4kLZZd
Score
10/10
Malware Config
Signatures
-
Kinsing
Kinsing is a loader written in Golang.
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
UAC bypass 3 TTPs 64 IoCs
-
Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\FkQAUwEE\GIocUcss.exe"C:\Users\Admin\FkQAUwEE\GIocUcss.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\ProgramData\WMcoIUoE\LgMUEkoE.exe"C:\ProgramData\WMcoIUoE\LgMUEkoE.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"8⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"10⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"12⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"14⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"16⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock17⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"18⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"20⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"22⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock23⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"24⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"26⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"28⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV129⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"30⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock31⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"32⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock33⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"34⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock35⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"36⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\owAYgEEk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""36⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs37⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f36⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 236⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 136⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 134⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWkMkYUY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""34⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f34⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 234⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCgYQggw.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""32⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs33⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f32⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 232⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 132⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 130⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eIMMoMUs.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""30⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs31⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f30⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 230⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 128⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQwssAgc.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""28⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs29⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f28⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 228⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAYgYAIA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f26⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 226⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 126⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSsIIsoA.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f24⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 224⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 124⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOcwoMgE.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""22⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs23⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f22⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 222⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 122⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkMIIwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""20⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs21⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f20⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 220⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 120⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 118⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 218⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f18⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EWMsoUEo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""18⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs19⤵
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aOUkIwAk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""16⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs17⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f16⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 216⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 116⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 114⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 214⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f14⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GswckIUM.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""14⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs15⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgEEoQYk.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""12⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs13⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f12⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 212⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 112⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 110⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 210⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f10⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pokcsQcY.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""10⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs11⤵
-
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 18⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 28⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f8⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGMMcskg.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""8⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSMkkYso.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""6⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs7⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs8⤵
-
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f6⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 26⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 16⤵
- Modifies visibility of file extensions in Explorer
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gQkUoAMo.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs5⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 24⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 14⤵
- Modifies registry key
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYUsggQU.bat" "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs3⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f2⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 22⤵
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 12⤵
-
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\SysWOW64\cscript.execscript C:\Users\Admin\AppData\Local\Temp/file.vbs1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"2⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"6⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"8⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock9⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"10⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock11⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock13⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"14⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock15⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"16⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock17⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"18⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock19⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"20⤵
- Modifies visibility of file extensions in Explorer
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock21⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"22⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV123⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock23⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"24⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV125⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock25⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"26⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock27⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"28⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock29⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"30⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock31⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"32⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock33⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"34⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock35⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"36⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock37⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"38⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock39⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"40⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock41⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"42⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock43⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"44⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock45⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"46⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock47⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"48⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock49⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"50⤵
- Modifies visibility of file extensions in Explorer
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock51⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"52⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock53⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"54⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV155⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock55⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"56⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock57⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"58⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock59⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"60⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock61⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"62⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock63⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"64⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock65⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"66⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock67⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"68⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock69⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"70⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock71⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"72⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock73⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"74⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock75⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"76⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock77⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"78⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock79⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"80⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock81⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"82⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock83⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"84⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV185⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock85⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"86⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock87⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"88⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock89⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"90⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock91⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"92⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock93⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"94⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock95⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"96⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock97⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"98⤵
- UAC bypass
- Checks whether UAC is enabled
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock99⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"100⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock101⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"102⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock103⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"104⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1105⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock105⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"106⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock107⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"108⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock109⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"110⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"112⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock113⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"114⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock115⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"116⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock117⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"118⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock119⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock"120⤵
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_d6d60e591fc168d89850fd7f7b0faf81_virlock121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-