Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 11:25
Behavioral task
behavioral1
Sample
2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe
-
Size
155KB
-
MD5
2337e5389081db45dd5a3758843120b9
-
SHA1
99c46170b63af74b13af173c24f59d287c445608
-
SHA256
72e28253024c7646b511a5ed0c0e675dbd21983dc000a25cd073e41c76f07c71
-
SHA512
37e2d669ef2e0aeb0288dadd7c5222bb60a65c7c05b0e2bac15976b9e97980aedc2b7916dd7012809e098d37ce6eee85ca49c2cf74ed7377d8e0422c494d3fda
-
SSDEEP
3072:6ds4MGhZ1uP8r/p/vOGdzL5Qjjs+FMn5qybA2evlzWcTxV2edrE4bePw:WMGv1vGQL6jjjK5MJ9DNdw4q4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/memory/2456-0-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2548-45-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2456-43-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2548-65-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2180-72-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2180-92-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2272-95-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2272-115-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2880-122-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2880-143-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1232-142-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2016-158-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1232-166-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2016-189-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2504-188-0x0000000000260000-0x000000000029C000-memory.dmp UPX behavioral1/memory/2420-190-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2504-191-0x0000000000260000-0x000000000029C000-memory.dmp UPX behavioral1/memory/2420-217-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2492-209-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2492-238-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1292-260-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2132-263-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2132-287-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2868-285-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2868-309-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/888-310-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/888-332-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1972-334-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1972-357-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2144-358-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2568-382-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2144-380-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2568-406-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1440-407-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1440-429-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2472-432-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2472-454-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2684-457-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2684-480-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1900-482-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1900-502-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/568-504-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/568-523-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2208-525-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2208-549-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1248-580-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1676-579-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1248-598-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2584-600-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2064-615-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2584-626-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2576-646-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2280-666-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1760-688-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1160-708-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1704-732-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2044-752-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2988-772-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2488-792-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1752-812-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/816-833-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1448-853-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/1980-875-0x0000000000400000-0x000000000043C000-memory.dmp UPX behavioral1/memory/2556-945-0x0000000000400000-0x000000000043C000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation YCQQcYYM.exe -
Deletes itself 1 IoCs
pid Process 284 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 YCQQcYYM.exe 2480 IkwsYEcM.exe -
Loads dropped DLL 20 IoCs
pid Process 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2456-0-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2548-45-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2456-43-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2548-65-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2180-72-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2180-92-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2272-95-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2272-115-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2880-122-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2880-143-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1232-142-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2016-158-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1232-166-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2016-189-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2504-188-0x0000000000260000-0x000000000029C000-memory.dmp upx behavioral1/memory/2420-190-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2504-191-0x0000000000260000-0x000000000029C000-memory.dmp upx behavioral1/memory/2420-217-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2492-209-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2492-238-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1292-260-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2132-263-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2132-287-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2868-285-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2868-309-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/888-310-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/888-332-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1972-334-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1972-357-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2144-358-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2568-382-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2144-380-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2568-406-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1440-407-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1440-429-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2472-432-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2472-454-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2684-457-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2684-480-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1900-482-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1900-502-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/568-504-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/568-523-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2208-525-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2208-549-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1248-580-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1676-579-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1248-598-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2584-600-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2064-615-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2584-626-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2576-646-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2280-666-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1760-688-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1160-708-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1704-732-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2044-752-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2988-772-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2488-792-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1752-812-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/816-833-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1448-853-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/1980-875-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2556-945-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQQcYYM.exe = "C:\\Users\\Admin\\MeQMUcIU\\YCQQcYYM.exe" 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IkwsYEcM.exe = "C:\\ProgramData\\RgYMsAYU\\IkwsYEcM.exe" 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\YCQQcYYM.exe = "C:\\Users\\Admin\\MeQMUcIU\\YCQQcYYM.exe" YCQQcYYM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IkwsYEcM.exe = "C:\\ProgramData\\RgYMsAYU\\IkwsYEcM.exe" IkwsYEcM.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico YCQQcYYM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 64 IoCs
pid Process 1524 reg.exe 828 reg.exe 1028 reg.exe 696 reg.exe 2664 reg.exe 1640 reg.exe 1772 reg.exe 2772 reg.exe 1488 reg.exe 2468 reg.exe 2420 reg.exe 2504 reg.exe 1288 reg.exe 704 reg.exe 2124 reg.exe 552 reg.exe 2300 reg.exe 1732 reg.exe 2716 reg.exe 1176 reg.exe 2188 reg.exe 1072 reg.exe 1948 reg.exe 2624 reg.exe 1084 reg.exe 1288 reg.exe 2468 reg.exe 1144 reg.exe 1564 reg.exe 528 reg.exe 1724 reg.exe 2812 reg.exe 2320 reg.exe 1268 reg.exe 2696 reg.exe 1608 reg.exe 268 reg.exe 1568 reg.exe 2916 reg.exe 1908 reg.exe 2236 reg.exe 1148 reg.exe 2668 reg.exe 2396 reg.exe 2168 reg.exe 2180 reg.exe 1528 reg.exe 2596 reg.exe 1704 reg.exe 1968 reg.exe 2656 reg.exe 544 reg.exe 2148 reg.exe 1972 reg.exe 2008 reg.exe 1300 reg.exe 2180 reg.exe 1180 reg.exe 552 reg.exe 2056 reg.exe 1340 reg.exe 1224 reg.exe 872 reg.exe 2240 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2180 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2180 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2272 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2272 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2880 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2880 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1232 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1232 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2016 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2016 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2420 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2420 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2492 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2492 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1292 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1292 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2132 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2132 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2868 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2868 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 888 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 888 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1972 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1972 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2144 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2144 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2568 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2568 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1440 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1440 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2472 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2472 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2684 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2684 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1900 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1900 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 568 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 568 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2208 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2208 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1676 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1676 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1248 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1248 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2584 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2584 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2576 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2576 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2280 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2280 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1760 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1760 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1160 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1160 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1704 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 1704 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2044 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2044 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2988 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 2988 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2560 YCQQcYYM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe 2560 YCQQcYYM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2560 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 28 PID 2456 wrote to memory of 2560 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 28 PID 2456 wrote to memory of 2560 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 28 PID 2456 wrote to memory of 2560 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 28 PID 2456 wrote to memory of 2480 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 29 PID 2456 wrote to memory of 2480 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 29 PID 2456 wrote to memory of 2480 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 29 PID 2456 wrote to memory of 2480 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 29 PID 2456 wrote to memory of 2380 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 30 PID 2456 wrote to memory of 2380 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 30 PID 2456 wrote to memory of 2380 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 30 PID 2456 wrote to memory of 2380 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 30 PID 2380 wrote to memory of 2548 2380 cmd.exe 33 PID 2380 wrote to memory of 2548 2380 cmd.exe 33 PID 2380 wrote to memory of 2548 2380 cmd.exe 33 PID 2380 wrote to memory of 2548 2380 cmd.exe 33 PID 2456 wrote to memory of 2692 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 32 PID 2456 wrote to memory of 2692 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 32 PID 2456 wrote to memory of 2692 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 32 PID 2456 wrote to memory of 2692 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 32 PID 2456 wrote to memory of 2396 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 34 PID 2456 wrote to memory of 2396 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 34 PID 2456 wrote to memory of 2396 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 34 PID 2456 wrote to memory of 2396 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 34 PID 2456 wrote to memory of 1972 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 35 PID 2456 wrote to memory of 1972 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 35 PID 2456 wrote to memory of 1972 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 35 PID 2456 wrote to memory of 1972 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 35 PID 2456 wrote to memory of 2388 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 38 PID 2456 wrote to memory of 2388 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 38 PID 2456 wrote to memory of 2388 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 38 PID 2456 wrote to memory of 2388 2456 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 38 PID 2548 wrote to memory of 1808 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 41 PID 2548 wrote to memory of 1808 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 41 PID 2548 wrote to memory of 1808 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 41 PID 2548 wrote to memory of 1808 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 41 PID 2548 wrote to memory of 1420 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 43 PID 2548 wrote to memory of 1420 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 43 PID 2548 wrote to memory of 1420 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 43 PID 2548 wrote to memory of 1420 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 43 PID 2548 wrote to memory of 2144 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 44 PID 2548 wrote to memory of 2144 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 44 PID 2548 wrote to memory of 2144 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 44 PID 2548 wrote to memory of 2144 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 44 PID 2548 wrote to memory of 2332 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 45 PID 2548 wrote to memory of 2332 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 45 PID 2548 wrote to memory of 2332 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 45 PID 2548 wrote to memory of 2332 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 45 PID 2548 wrote to memory of 2432 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 46 PID 2548 wrote to memory of 2432 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 46 PID 2548 wrote to memory of 2432 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 46 PID 2548 wrote to memory of 2432 2548 2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe 46 PID 2388 wrote to memory of 2188 2388 cmd.exe 51 PID 2388 wrote to memory of 2188 2388 cmd.exe 51 PID 2388 wrote to memory of 2188 2388 cmd.exe 51 PID 2388 wrote to memory of 2188 2388 cmd.exe 51 PID 1808 wrote to memory of 2180 1808 cmd.exe 52 PID 1808 wrote to memory of 2180 1808 cmd.exe 52 PID 1808 wrote to memory of 2180 1808 cmd.exe 52 PID 1808 wrote to memory of 2180 1808 cmd.exe 52 PID 2432 wrote to memory of 1492 2432 cmd.exe 53 PID 2432 wrote to memory of 1492 2432 cmd.exe 53 PID 2432 wrote to memory of 1492 2432 cmd.exe 53 PID 2432 wrote to memory of 1492 2432 cmd.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe"C:\Users\Admin\MeQMUcIU\YCQQcYYM.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2560
-
-
C:\ProgramData\RgYMsAYU\IkwsYEcM.exe"C:\ProgramData\RgYMsAYU\IkwsYEcM.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2480
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"6⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"8⤵PID:2472
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"10⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"12⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2016 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"14⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"16⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"18⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"20⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"22⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"24⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"26⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"28⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"30⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:2568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"32⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1440 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"34⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"36⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"38⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"40⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"42⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"44⤵PID:1640
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"46⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"48⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"50⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"52⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"54⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"56⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1160 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"58⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"60⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"62⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"64⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock65⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"66⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock67⤵PID:1752
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"68⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock69⤵PID:816
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"70⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock71⤵PID:1448
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"72⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock73⤵PID:1980
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"74⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock75⤵PID:2556
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"76⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock77⤵PID:2376
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"78⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock79⤵PID:2216
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"80⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock81⤵PID:1888
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"82⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock83⤵PID:2688
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"84⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock85⤵PID:1436
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"86⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock87⤵PID:2028
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"88⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock89⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"90⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock91⤵PID:2484
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"92⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock93⤵PID:2724
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"94⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock95⤵PID:1992
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"96⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock97⤵PID:948
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"98⤵PID:868
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock99⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"100⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock101⤵PID:2296
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"102⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock103⤵PID:2752
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"104⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock105⤵PID:2724
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"106⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock107⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"108⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock109⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"110⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock111⤵PID:2476
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"112⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock113⤵PID:816
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"114⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock115⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"116⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock117⤵PID:1512
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"118⤵PID:476
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock119⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"120⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock121⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2337e5389081db45dd5a3758843120b9_virlock"122⤵PID:2384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-