Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe
-
Size
116KB
-
MD5
70f0066d643916ed531583f3b3b6382c
-
SHA1
228f1fb78fd1f08078a4cfc30e61984f3ad9366d
-
SHA256
8c2d37665861b2652b06805f38fedfcd44bac6fe889f0ce9997c3f13a43a5543
-
SHA512
1b86fdf50a8211b593e0f36071581fafe423c0282774acffbea402fcbc031dfc9aedc18bcbb1022d22df238c105b0634226df11bdf62e28afba7fa8cb95c39f0
-
SSDEEP
3072:SQ/05bi+3FB+ctk5FMfzCL9jJ7nbApb22PWvoK0:S2g1s2eY
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation OKkMcgQc.exe -
Executes dropped EXE 2 IoCs
pid Process 2744 uOQoAUUw.exe 2012 OKkMcgQc.exe -
Loads dropped DLL 20 IoCs
pid Process 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe 2744 uOQoAUUw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKkMcgQc.exe = "C:\\ProgramData\\cUUgEssc\\OKkMcgQc.exe" OKkMcgQc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GmUAwUEk.exe = "C:\\Users\\Admin\\wyEccUUs\\GmUAwUEk.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tKsQkgIg.exe = "C:\\ProgramData\\niMIAkwI\\tKsQkgIg.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\uOQoAUUw.exe = "C:\\Users\\Admin\\pqIwgAIo\\uOQoAUUw.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OKkMcgQc.exe = "C:\\ProgramData\\cUUgEssc\\OKkMcgQc.exe" 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\uOQoAUUw.exe = "C:\\Users\\Admin\\pqIwgAIo\\uOQoAUUw.exe" uOQoAUUw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3056 2612 WerFault.exe 104 2576 2560 WerFault.exe 105 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 2384 reg.exe 2620 reg.exe 1760 reg.exe 2176 reg.exe 1808 reg.exe 484 reg.exe 2964 reg.exe 1596 reg.exe 2648 reg.exe 2476 reg.exe 1632 reg.exe 1604 reg.exe 2844 reg.exe 2852 reg.exe 1572 reg.exe 2928 reg.exe 2212 reg.exe 2940 reg.exe 2964 reg.exe 1804 reg.exe 2664 reg.exe 688 reg.exe 2532 reg.exe 2520 reg.exe 968 reg.exe 1948 reg.exe 1664 reg.exe 2908 reg.exe 2068 reg.exe 2264 reg.exe 1096 reg.exe 1812 reg.exe 3000 reg.exe 2712 reg.exe 2600 reg.exe 2060 reg.exe 2788 reg.exe 1776 reg.exe 1872 reg.exe 1796 reg.exe 2700 reg.exe 1100 reg.exe 1040 reg.exe 576 reg.exe 2292 reg.exe 1636 reg.exe 1812 reg.exe 2900 reg.exe 2396 reg.exe 2384 reg.exe 1664 reg.exe 1292 reg.exe 2548 reg.exe 1828 reg.exe 2592 reg.exe 1844 reg.exe 2272 reg.exe 1828 reg.exe 1644 reg.exe 2732 reg.exe 2544 reg.exe 2692 reg.exe 2304 reg.exe 2712 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3028 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3028 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1832 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1832 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 436 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 436 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2512 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2512 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2604 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2604 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2364 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2364 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2404 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2404 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 3000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1820 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1820 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1572 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1572 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1716 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1716 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1804 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1804 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1136 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1136 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1256 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1256 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1784 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1784 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2752 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2752 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1708 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1708 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1768 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1768 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1564 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1564 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1868 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1868 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 332 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 332 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1648 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1648 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2828 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2828 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2580 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2580 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2044 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2044 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2000 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2732 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 2732 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1712 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1712 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1268 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1268 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1100 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 1100 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2012 OKkMcgQc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe 2012 OKkMcgQc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2744 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 30 PID 2068 wrote to memory of 2744 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 30 PID 2068 wrote to memory of 2744 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 30 PID 2068 wrote to memory of 2744 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 30 PID 2068 wrote to memory of 2012 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 31 PID 2068 wrote to memory of 2012 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 31 PID 2068 wrote to memory of 2012 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 31 PID 2068 wrote to memory of 2012 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 31 PID 2068 wrote to memory of 2760 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 32 PID 2068 wrote to memory of 2760 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 32 PID 2068 wrote to memory of 2760 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 32 PID 2068 wrote to memory of 2760 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 32 PID 2760 wrote to memory of 2568 2760 cmd.exe 34 PID 2760 wrote to memory of 2568 2760 cmd.exe 34 PID 2760 wrote to memory of 2568 2760 cmd.exe 34 PID 2760 wrote to memory of 2568 2760 cmd.exe 34 PID 2068 wrote to memory of 2792 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 35 PID 2068 wrote to memory of 2792 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 35 PID 2068 wrote to memory of 2792 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 35 PID 2068 wrote to memory of 2792 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 35 PID 2068 wrote to memory of 2592 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 36 PID 2068 wrote to memory of 2592 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 36 PID 2068 wrote to memory of 2592 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 36 PID 2068 wrote to memory of 2592 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 36 PID 2068 wrote to memory of 2600 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 38 PID 2068 wrote to memory of 2600 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 38 PID 2068 wrote to memory of 2600 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 38 PID 2068 wrote to memory of 2600 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 38 PID 2068 wrote to memory of 2624 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 41 PID 2068 wrote to memory of 2624 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 41 PID 2068 wrote to memory of 2624 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 41 PID 2068 wrote to memory of 2624 2068 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 41 PID 2624 wrote to memory of 1624 2624 cmd.exe 43 PID 2624 wrote to memory of 1624 2624 cmd.exe 43 PID 2624 wrote to memory of 1624 2624 cmd.exe 43 PID 2624 wrote to memory of 1624 2624 cmd.exe 43 PID 2568 wrote to memory of 2888 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 44 PID 2568 wrote to memory of 2888 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 44 PID 2568 wrote to memory of 2888 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 44 PID 2568 wrote to memory of 2888 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 44 PID 2888 wrote to memory of 3028 2888 cmd.exe 46 PID 2888 wrote to memory of 3028 2888 cmd.exe 46 PID 2888 wrote to memory of 3028 2888 cmd.exe 46 PID 2888 wrote to memory of 3028 2888 cmd.exe 46 PID 2568 wrote to memory of 2380 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 47 PID 2568 wrote to memory of 2380 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 47 PID 2568 wrote to memory of 2380 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 47 PID 2568 wrote to memory of 2380 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 47 PID 2568 wrote to memory of 2364 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 48 PID 2568 wrote to memory of 2364 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 48 PID 2568 wrote to memory of 2364 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 48 PID 2568 wrote to memory of 2364 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 48 PID 2568 wrote to memory of 2384 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 49 PID 2568 wrote to memory of 2384 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 49 PID 2568 wrote to memory of 2384 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 49 PID 2568 wrote to memory of 2384 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 49 PID 2568 wrote to memory of 2260 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 53 PID 2568 wrote to memory of 2260 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 53 PID 2568 wrote to memory of 2260 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 53 PID 2568 wrote to memory of 2260 2568 2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe 53 PID 2260 wrote to memory of 1696 2260 cmd.exe 55 PID 2260 wrote to memory of 1696 2260 cmd.exe 55 PID 2260 wrote to memory of 1696 2260 cmd.exe 55 PID 2260 wrote to memory of 1696 2260 cmd.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe"C:\Users\Admin\pqIwgAIo\uOQoAUUw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2744
-
-
C:\ProgramData\cUUgEssc\OKkMcgQc.exe"C:\ProgramData\cUUgEssc\OKkMcgQc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2012
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"6⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1832 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"8⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock9⤵
- Suspicious behavior: EnumeratesProcesses
PID:436 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"10⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock11⤵
- Suspicious behavior: EnumeratesProcesses
PID:2512 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"12⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock13⤵
- Adds Run key to start application
PID:2244 -
C:\Users\Admin\wyEccUUs\GmUAwUEk.exe"C:\Users\Admin\wyEccUUs\GmUAwUEk.exe"14⤵PID:2612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 3615⤵
- Program crash
PID:3056
-
-
-
C:\ProgramData\niMIAkwI\tKsQkgIg.exe"C:\ProgramData\niMIAkwI\tKsQkgIg.exe"14⤵PID:2560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 3615⤵
- Program crash
PID:2576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"14⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock15⤵
- Suspicious behavior: EnumeratesProcesses
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"16⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock17⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"18⤵
- System Location Discovery: System Language Discovery
PID:320 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock19⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"20⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock21⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"22⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"24⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock25⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1572 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"26⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock27⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1716 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"28⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"30⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"32⤵PID:844
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1256 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"34⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock35⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1784 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"36⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock37⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"38⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock39⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"40⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock41⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"42⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock43⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"44⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock45⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"46⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock47⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:332 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"48⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock49⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"50⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock51⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"52⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock53⤵
- Suspicious behavior: EnumeratesProcesses
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"54⤵PID:2760
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"56⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock57⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"58⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock59⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"60⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock61⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"62⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock63⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"64⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock65⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"66⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock67⤵PID:2940
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"68⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock69⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"70⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock71⤵PID:2544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"72⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock73⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"74⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock75⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"76⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock77⤵PID:1880
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"78⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock79⤵PID:2544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"80⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock81⤵PID:1356
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"82⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock83⤵PID:2768
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"84⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock85⤵PID:2112
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"86⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock87⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"88⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock89⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"90⤵PID:2136
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock91⤵PID:468
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"92⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock93⤵PID:2068
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"94⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock95⤵PID:1276
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"96⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock97⤵PID:2620
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"98⤵PID:2144
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock99⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"100⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock101⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"102⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock103⤵PID:2124
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"104⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock105⤵PID:2256
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"106⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock107⤵
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"108⤵PID:332
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock109⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"110⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock111⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"112⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock113⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"114⤵PID:1804
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock115⤵PID:2488
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"116⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock117⤵PID:2608
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"118⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock119⤵PID:1016
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"120⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock.exeC:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock121⤵PID:2560
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\2024-10-16_70f0066d643916ed531583f3b3b6382c_virlock"122⤵PID:2908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-