Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 11:41
Behavioral task
behavioral1
Sample
2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe
-
Size
163KB
-
MD5
c1aeba6369a3615061f44778021f6b42
-
SHA1
d5e40b2f91be6e95891a6f3e111f6a00f448de27
-
SHA256
357908d9f3abf01fcc8d4d3527483d5b9993cd1f70d7af2897ed313f05a39d97
-
SHA512
9e4bb49a5230ad624b9224b1f17e4da18345a9c7fece9299035986fc453b7f61c83d2a72486a8f7b674a14575107cf6d661f28709f9aef0450199c2cc3b8edd3
-
SSDEEP
3072:YHgTPOOwUJRymLMT+2eVyY1+ly6MkCSU2jgPqS01LpTLAwqsonnqBKLtYMlDJ+:YHgCfn7js6Zjg+Qfe0
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2516-43-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2020-41-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2516-69-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2428-93-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2108-163-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2700-165-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2700-176-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1632-219-0x0000000000120000-0x000000000015B000-memory.dmp UPX behavioral1/memory/1152-221-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2220-206-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2220-229-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2524-204-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2524-175-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2940-164-0x0000000000170000-0x00000000001AB000-memory.dmp UPX behavioral1/memory/2108-142-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2236-140-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1900-117-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2236-109-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1900-83-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2428-61-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1152-252-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1764-244-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1764-277-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2744-276-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/640-275-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2032-290-0x0000000000120000-0x000000000015B000-memory.dmp UPX behavioral1/memory/2744-299-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2608-314-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1892-322-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2608-342-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1780-343-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1780-366-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1172-389-0x0000000000120000-0x000000000015B000-memory.dmp UPX behavioral1/memory/1676-390-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/816-387-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1476-416-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1676-415-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1476-439-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/3000-430-0x00000000001B0000-0x00000000001EB000-memory.dmp UPX behavioral1/memory/1948-462-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2128-454-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2220-478-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2128-487-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1564-508-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2220-509-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1564-528-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2756-527-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1624-529-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2456-547-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1624-548-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2780-575-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2456-574-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2532-603-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2780-602-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2532-604-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2860-605-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2860-624-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1576-646-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2312-665-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1628-684-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/880-704-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/2796-726-0x0000000000400000-0x000000000043B000-memory.dmp UPX behavioral1/memory/1688-747-0x0000000000400000-0x000000000043B000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation bsgsEQAI.exe -
Deletes itself 1 IoCs
pid Process 1500 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2080 bsgsEQAI.exe 1972 WUcwIwoc.exe -
Loads dropped DLL 20 IoCs
pid Process 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2516-43-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2020-41-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2516-69-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2428-93-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2108-163-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2700-165-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2700-176-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1632-219-0x0000000000120000-0x000000000015B000-memory.dmp upx behavioral1/memory/1152-221-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2220-206-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2220-229-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2524-204-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2524-175-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2940-164-0x0000000000170000-0x00000000001AB000-memory.dmp upx behavioral1/memory/2108-142-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2236-140-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1900-117-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2236-109-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1900-83-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2428-61-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2020-12-0x0000000000470000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1152-252-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1764-244-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1764-277-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2744-276-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/640-275-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2032-290-0x0000000000120000-0x000000000015B000-memory.dmp upx behavioral1/memory/2744-299-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2608-314-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1892-322-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2608-342-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1780-343-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1780-366-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1172-389-0x0000000000120000-0x000000000015B000-memory.dmp upx behavioral1/memory/1676-390-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/816-387-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1476-416-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1676-415-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1476-439-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/3000-430-0x00000000001B0000-0x00000000001EB000-memory.dmp upx behavioral1/memory/1948-462-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2128-454-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2220-478-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2128-487-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1564-508-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2220-509-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1564-528-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2756-527-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1624-529-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2456-547-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1624-548-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2780-575-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2456-574-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2532-603-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2780-602-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2532-604-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2860-605-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2860-624-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1576-646-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2312-665-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/1628-684-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/880-704-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral1/memory/2796-726-0x0000000000400000-0x000000000043B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\NugkQwso.exe = "C:\\Users\\Admin\\bAwoMkQU\\NugkQwso.exe" 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOUEUMMI.exe = "C:\\ProgramData\\GcoIoYYQ\\DOUEUMMI.exe" 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bsgsEQAI.exe = "C:\\Users\\Admin\\DysEEYUo\\bsgsEQAI.exe" 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WUcwIwoc.exe = "C:\\ProgramData\\soEAwsoA\\WUcwIwoc.exe" 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\bsgsEQAI.exe = "C:\\Users\\Admin\\DysEEYUo\\bsgsEQAI.exe" bsgsEQAI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WUcwIwoc.exe = "C:\\ProgramData\\soEAwsoA\\WUcwIwoc.exe" WUcwIwoc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2536 2540 WerFault.exe 2548 2492 WerFault.exe 102 -
Modifies registry key 1 TTPs 64 IoCs
pid Process 524 reg.exe 3020 reg.exe 1028 reg.exe 1544 reg.exe 1588 reg.exe 860 reg.exe 2280 reg.exe 2800 reg.exe 1812 reg.exe 2880 reg.exe 2796 reg.exe 2256 reg.exe 2064 reg.exe 872 reg.exe 2856 reg.exe 2604 reg.exe 2152 reg.exe 1748 reg.exe 2588 reg.exe 2264 reg.exe 2388 reg.exe 2428 reg.exe 1668 reg.exe 1552 reg.exe 848 reg.exe 240 reg.exe 2116 reg.exe 1964 reg.exe 3048 reg.exe 2996 reg.exe 816 reg.exe 2608 reg.exe 1252 reg.exe 2516 reg.exe 1100 reg.exe 2640 reg.exe 2988 reg.exe 2656 reg.exe 2496 reg.exe 2212 reg.exe 2108 reg.exe 2720 reg.exe 1576 reg.exe 1640 reg.exe 2620 reg.exe 2868 reg.exe 2716 reg.exe 748 reg.exe 1956 reg.exe 2420 reg.exe 788 reg.exe 2256 reg.exe 2416 reg.exe 1472 reg.exe 1608 reg.exe 2780 reg.exe 1596 reg.exe 2652 reg.exe 1252 reg.exe 2660 reg.exe 2256 reg.exe 2500 reg.exe 1036 reg.exe 2140 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2428 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2428 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1900 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1900 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2236 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2236 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2108 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2108 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2524 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2524 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2220 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2220 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1152 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1152 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1764 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1764 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2744 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2744 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1892 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1892 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2608 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2608 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1780 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1780 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 816 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 816 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1676 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1676 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1476 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1476 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1948 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1948 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2128 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2128 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2220 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2220 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1564 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1564 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1624 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1624 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2456 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2780 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2780 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2860 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2860 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1576 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1576 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2312 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2312 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1628 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1628 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 880 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 880 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2796 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2796 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1688 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 1688 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2240 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 2240 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2080 bsgsEQAI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe 2080 bsgsEQAI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2080 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 28 PID 2020 wrote to memory of 2080 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 28 PID 2020 wrote to memory of 2080 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 28 PID 2020 wrote to memory of 2080 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 28 PID 2020 wrote to memory of 1972 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 29 PID 2020 wrote to memory of 1972 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 29 PID 2020 wrote to memory of 1972 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 29 PID 2020 wrote to memory of 1972 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 29 PID 2020 wrote to memory of 2860 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 30 PID 2020 wrote to memory of 2860 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 30 PID 2020 wrote to memory of 2860 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 30 PID 2020 wrote to memory of 2860 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 30 PID 2860 wrote to memory of 2516 2860 cmd.exe 33 PID 2860 wrote to memory of 2516 2860 cmd.exe 33 PID 2860 wrote to memory of 2516 2860 cmd.exe 33 PID 2860 wrote to memory of 2516 2860 cmd.exe 33 PID 2020 wrote to memory of 1036 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 32 PID 2020 wrote to memory of 1036 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 32 PID 2020 wrote to memory of 1036 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 32 PID 2020 wrote to memory of 1036 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 32 PID 2020 wrote to memory of 2524 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 34 PID 2020 wrote to memory of 2524 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 34 PID 2020 wrote to memory of 2524 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 34 PID 2020 wrote to memory of 2524 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 34 PID 2020 wrote to memory of 2588 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 35 PID 2020 wrote to memory of 2588 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 35 PID 2020 wrote to memory of 2588 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 35 PID 2020 wrote to memory of 2588 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 35 PID 2020 wrote to memory of 2528 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 36 PID 2020 wrote to memory of 2528 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 36 PID 2020 wrote to memory of 2528 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 36 PID 2020 wrote to memory of 2528 2020 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 36 PID 2528 wrote to memory of 656 2528 cmd.exe 41 PID 2528 wrote to memory of 656 2528 cmd.exe 41 PID 2528 wrote to memory of 656 2528 cmd.exe 41 PID 2528 wrote to memory of 656 2528 cmd.exe 41 PID 2516 wrote to memory of 2452 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 129 PID 2516 wrote to memory of 2452 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 129 PID 2516 wrote to memory of 2452 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 129 PID 2516 wrote to memory of 2452 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 129 PID 2452 wrote to memory of 2428 2452 cmd.exe 192 PID 2452 wrote to memory of 2428 2452 cmd.exe 192 PID 2452 wrote to memory of 2428 2452 cmd.exe 192 PID 2452 wrote to memory of 2428 2452 cmd.exe 192 PID 2516 wrote to memory of 268 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 186 PID 2516 wrote to memory of 268 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 186 PID 2516 wrote to memory of 268 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 186 PID 2516 wrote to memory of 268 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 186 PID 2516 wrote to memory of 2356 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 46 PID 2516 wrote to memory of 2356 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 46 PID 2516 wrote to memory of 2356 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 46 PID 2516 wrote to memory of 2356 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 46 PID 2516 wrote to memory of 1556 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 47 PID 2516 wrote to memory of 1556 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 47 PID 2516 wrote to memory of 1556 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 47 PID 2516 wrote to memory of 1556 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 47 PID 2516 wrote to memory of 1108 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 48 PID 2516 wrote to memory of 1108 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 48 PID 2516 wrote to memory of 1108 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 48 PID 2516 wrote to memory of 1108 2516 2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe 48 PID 1108 wrote to memory of 1936 1108 cmd.exe 254 PID 1108 wrote to memory of 1936 1108 cmd.exe 254 PID 1108 wrote to memory of 1936 1108 cmd.exe 254 PID 1108 wrote to memory of 1936 1108 cmd.exe 254
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\DysEEYUo\bsgsEQAI.exe"C:\Users\Admin\DysEEYUo\bsgsEQAI.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2080
-
-
C:\ProgramData\soEAwsoA\WUcwIwoc.exe"C:\ProgramData\soEAwsoA\WUcwIwoc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1972
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"6⤵PID:2124
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1900 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"8⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"10⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"12⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock13⤵
- Adds Run key to start application
PID:2700 -
C:\Users\Admin\bAwoMkQU\NugkQwso.exe"C:\Users\Admin\bAwoMkQU\NugkQwso.exe"14⤵PID:2492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 3615⤵
- Program crash
PID:2548
-
-
-
C:\ProgramData\GcoIoYYQ\DOUEUMMI.exe"C:\ProgramData\GcoIoYYQ\DOUEUMMI.exe"14⤵PID:2540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 3615⤵
- Program crash
PID:2536
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"14⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"16⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"18⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"20⤵PID:2736
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock21⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"22⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"24⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"26⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"28⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"30⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:816 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"32⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"34⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1476 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"36⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"38⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock39⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"40⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"42⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"44⤵PID:2756
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"46⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock47⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"48⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"50⤵PID:2532
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock51⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"52⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"54⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"56⤵PID:2748
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"58⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:880 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"60⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock61⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"62⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"64⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock65⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"66⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock67⤵PID:592
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"68⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock69⤵PID:1880
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"70⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock71⤵PID:2612
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"72⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock73⤵PID:2528
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"74⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock75⤵PID:2072
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"76⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock77⤵PID:2004
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"78⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock79⤵PID:960
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"80⤵PID:2380
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock81⤵PID:740
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"82⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock83⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"84⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock85⤵PID:1292
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"86⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock87⤵PID:2344
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"88⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock89⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"90⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock91⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"92⤵PID:2072
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock93⤵PID:2128
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"94⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock95⤵PID:1548
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"96⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock97⤵PID:1368
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"98⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock99⤵PID:1600
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"100⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock101⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"102⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock103⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"104⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock105⤵PID:528
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"106⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock107⤵PID:2716
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"108⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock109⤵PID:2344
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"110⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock111⤵PID:2764
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"112⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock113⤵PID:1576
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"114⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock115⤵PID:580
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"116⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock117⤵PID:1632
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"118⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock119⤵PID:656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"120⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock121⤵PID:1656
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-04-03_c1aeba6369a3615061f44778021f6b42_virlock"122⤵PID:1096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-